Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Cloud Attack Takes Full Control of Virtual Machines With Little Effort (arstechnica.com)

Posted by BeauHD on from the needle-in-a-haystack dept.

C3ntaur writes: The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment. Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit. Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer. The research paper titled "Flip Feng Shui: Hammering a Needle in the Software Stack" can be read here.

2 of 34 comments (clear)

  1. Defective RAM is defective by Anonymous Coward · · Score: 4, Interesting

    Rowhammer in all its incarnations is not the problem. If you are vulnerable to such attacks it is because your RAM is defective. Can we stop pretending this is an exploit we need elaborate schemes to protect against and just call it what it is: A crappy products that need to be replaced from manufacturers that need to be held accountable for it.

  2. Not that easy by Barnoid · · Score: 4, Interesting

    It's an interesting idea and nicely carried out, but in the real world I doubt this is of much concern. For the attack to be successful, all of the following must hold
    1. memory susceptible to rowhammer attack (in itself not trivial - only few and given memory locations can be flipped)
    2. VM manager merges physically identical pages of unrelated VMs (i.e., the identical memory pages of different VMs point to the same physical page)
    3. attacker VM must know the contents of the page in the victim VM
    4. attacker must register a page with the to-be-attacked contents before the victim VM does so that it can somewhat control its physical location and use rowhammer on it

    Especially #3 is not easy. In the paper, the authors assume they know all SSH authorized keys of the victim page which seems a bit far-fetched. Pages holding OS contents are easier to guess; I think an attack on those is more probable.

    Also, the fix is trivial. Don't buy cheap RAM that can be attacked with rowhammer for your data centers.