Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick (thestack.com)

Posted by EditorDavid on from the bit-flipping-tricks dept.

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.
The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."

16 of 73 comments (clear)

  1. Saw this on the register by 0xdeaddead · · Score: 2, Funny

    Remember when stuff like this broke here?

    1. Re:Saw this on the register by pregister · · Score: 5, Funny

      No.

  2. Host Your Own. Cloud Experiment Is A Fail. by zenlessyank · · Score: 3, Insightful

    Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

    1. Re:Host Your Own. Cloud Experiment Is A Fail. by segedunum · · Score: 2
      As soon as you start running servers 24x7 the cloud gets very, very expensive....each and every month. When you have control over your own infrastructure that progressively gets cheaper. over time

      I can also rent a server or a VPS from a decent service provider cheaper, get more performance out of it and have proper support as opposed to AWS's "You might get your EBS snapshots back in a couple of days".

      The only ones that prefer it in house are the IT folks that sit on their asses all day ignoring the phone.

      Get used to being ignored by your cloud provider. You were stupid enough to give your company to an external provider and they have your arse over a barrel. Also, don't get into any payment difficulties each month or it just won't be there. An external provider will ignore you because they know they can get away with it.

      Cloud services tend to be kept up to date and patched better than the set it up and forget it in-house ones.

      ROTFL. Fuck are they. *You* will be responsible for patching and maintaining your own servers in the cloud. If you want a provider to do that for you they will take a pound of flesh off you.......with no accountability. Good luck. I really don't know where people get the idea from that running to the cloud cuts down on system administration.

  3. I don't get it. by krtek · · Score: 2

    OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

    1. Re:I don't get it. by TechyImmigrant · · Score: 2

      OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

      Waiting for the cow moos guy to chime in.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:I don't get it. by a_n_d_e_r_s · · Score: 4, Informative

      Yes they use Copy on Write. But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

      So its really an escalation of a hardwarebug. So it its not restricted to Linux. Should be able to affect any software running on a multiuser system - regardless of operating system.

      Basically any insecure hardware system affected by Rawhammer are not safe to run multiuser software - since it can be used to manipulate the system.

      --
      Just saying it like it are.
    3. Re:I don't get it. by Ungrounded+Lightning · · Score: 4, Informative

      But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

      ROWhammer - "hammering on" the adjacent rows of the memory in the chip - by reading them repeatedly - which causes charge leakage and occasional bit flips in the adjacent row.

      Because the attacking process is only reading the beside-the-target rows, the OS doesn't think the memory is being changed and thus doesn't decombine the two processes' instance of the page.

      I'm surprised that the system is doing page recombine across multiple VMs. While it makes sense from a total resource standpoint (why should each VM have its own instance of a page of mostly-unchanging RAM?) it also makes performance vary more due to activity in other VMs - as well as opening the rowhammer vulnerability to cross-VM exploit.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    4. Re:I don't get it. by Intron · · Score: 2

      Bull. Try checking facts.
      http://googleprojectzero.blogs...

      --
      Intron: the portion of DNA which expresses nothing useful.
  4. FFS by TechyImmigrant · · Score: 4, Funny

    FFS: I like these researchers. They know a good acronym when they see one.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. ASLR by Billly+Gates · · Score: 2

    Windows 7/OpenBSD/MacOSX/Server 2008 R2 and later use virtual ram addresses that are scrambled to prevent this and injections. This is one of the oldest cracker techniques in the book after buffer overflows. Linux doesn't have this?

    --
    http://saveie6.com/
    1. Re:ASLR by Anonymous Coward · · Score: 4, Informative

      Linux doesn't have [ASLR]?

      *cough*
      https://en.wikipedia.org/wiki/Row_hammer
      *cough*

      1) Linux has ASLR.
      2) ASLR can't do shit for this, not when it's hammering within an already-allocated block.

      "The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability."

      Randomization of accesses _within_ an allocated block would be next-level shit... stuff that would have a _large_ perf hit and that no widely-used OS does. It's still not clear that that would mitigate Rowhammer... just make it a bit more difficult.

    2. Re:ASLR by CRC'99 · · Score: 2

      You just fail to understand the problem that has nothing to do with ASLR. Please read about virtual machines and memory de-duplication.

      ... and is exactly why you don't deduplicate RAM when hosting VMs...

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  6. Re:defective memory is defective by gweihir · · Score: 2

    It is. But AFAIK rowhammer has only be demonstrated against laptops. Laptops often have slowed-down refresh cycles to conserve power. That is what makes rowhammer possible in the first place.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Linux FIRST to implement ASLR. by tpgp · · Score: 4, Interesting

    OK, I know you're trolling, but in case anyone is stupid enough to believe you:

    From Wikipedia's ASLR page:

    History

    The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001. It is seen as the most complete implementation, providing also kernel stack randomization since October 2002. Compared to other implementations, it is also seen to provide the best layout randomization.

    --
    My pics.
  8. how does this work by samantha · · Score: 3, Insightful

    How does the attacker know what memory pages are what in the targets VM space? That seems like quite a trick. Or is Amazon sharing various pages among all machines that are known to the public somehow? I am not a cracker myself so I don't really get how the attacker has this information.