Powerful Bit-Flipping Attack

New research: “Flip Feng Shui: Hammering a Needle in the Software Stack,” by Kaveh Razavi, Ben Gras, Erik Bosman Bart Preneel, Cristiano Giuffrida, and Herbert Bos.

Abstract: We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page’s contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page.

We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.

Tags: , , ,

Posted on August 16, 2016 at 7:09 AM41 Comments

Comments

jojacvk August 16, 2016 7:37 AM

“virtual page she owns”

She? eyebrow raise

Exploits have become so sophisticated and available to those “that know where to look” that I ponder the worth of using a computer any longer.

Couldn'tPossiblyComment August 16, 2016 8:03 AM

I’d be interested to hear from someone with more in-depth knowledge of this area than I (perhaps Clive Robinson will be striding down from Olympus shortly, as this sounds like his sort of area). I’ve long held the belief that checksums, parity checks, and the like should be fundamental parts of our hardware & software (which often get skipped due to overhead), and this appears to be further evidence of that.

If I’ve read correctly, this attack is predicated on an existing hardware vulnerability (Rowhammer). I would have naively expected most major cloud providers, the seemingly likely targets of this sort of attack, to be using ECC RAM, which appears to at least partially mitigate the Rowhammer attack. Do major virtualization providers really run RAM that has no checking at all?

@jojacvk I have come across numerous articles that give the attacker’s gender as ‘she’ courtesy of the classic ‘Alice, Bob, Eve’ placeholder identities. Given the type of attack, I believe the correct placeholder could be Trudy/Mallory, and thus is a touch more ambiguous. One might equally raise eyebrows over ‘he’ but then we’re into the politically correct zone of neutral pronouns and frankly, academic papers should have better things to do.

Winston Smith August 16, 2016 8:16 AM

As for the Flip Feng Shui attack… it’s scope is impressive and frightful.

ECC memory can reduce the attack surface against Rowhammer, and multi-ECC memory even more so. But, the best hardware solution, the paper reports, is:

“A more promising technology is directed row re-fresh, which is implemented in low-power DDR4 7 and some DDR4 implementations.”

For a software mitigation, the paper recommends to disable memory deduplication, but this is not practical in all situations.

@jojacvk

“She” is politically correct these days; even ‘progressive’ (in a self-congratulatory way) to describe territory dominated by men. Just be glad we’re not dealing with “ze”, “zir”, and Facebook’s 58 genders on a wholesale scale. Personally, I won’t/can’t participate in that circus. Language is important… just read “1984”.

Facebook’s Gender Options: http://abcnews.go.com/blogs/headlines/2014/02/heres-a-list-of-58-gender-options-for-facebook-users/

Max August 16, 2016 9:07 AM

Very clever. This is something that can’t be ignored by anyone running a multiuser system.

Tom August 16, 2016 9:45 AM

This is way over my head.
Isn’t it like lock-picking the hotel room next door by knocking on the wall in a certain way?

Winter August 16, 2016 10:19 AM

“She” is politically correct these days;

Indeed, but in this case it might be historically correct, computers used to be women.

David Leppik August 16, 2016 10:37 AM

@jojacvk: I think the use of ‘she’ as gender neutral peaked in the 1990s, but is still popular. More common these days is the singular ‘they’, which has the advantage of being actually gender neutral, and although it sounds like a grammatical mistake, it has been used since at least Shakespeare.

bcy August 16, 2016 11:57 AM

You complain how academics waste their time on adding a single letter in front of a pronoun, yet this seems as important to talk about as the actual research. If it is so unimportant, why not ignore it? Okay, I’m guilty of this right now too by posting this comment, but every time I go on a serious website with some audience, this stupid topic subject pops up almost every time, especially on tech websites, as if it were a major problem. I wonder why some people are so bothered by a single supposedly totally unimportant and useless letter. Do you think this is the first step before teh evil feminists ruin computer security forever?

Tim August 16, 2016 1:02 PM

Personally, I prefer (s)?he, which covers all the bases. …the biological ones anyway.

((s)?h|z)e gets hard to read.

Terry Cloth August 16, 2016 2:55 PM

I started using she' as a neutral pronoun about fifteen years ago. I figurehe’ has had roughly a millenium of usage, so maybe we can have a consensus on a new, really neutral one, by about 3000.

Uh-huh, Uh-huh August 16, 2016 3:24 PM

Yeah, let’s all immediately get to work on a Greasemonkey userscript that uses regEx to auto-replace every personal pronoun on the net with Facebook’s 58 genders. Only in this way can we maintain truly civilized discourse.

Alternatively, we could just use “it”.

WhiskersInMenlo August 16, 2016 3:58 PM

@Couldn’tPossiblyComment
“I’d be interested to hear from someone with more in-depth knowledge of this area than I (perhaps Clive Robinson will be striding down from Olympus shortly, as this sounds like his sort of area). I’ve long held the belief that checksums, parity checks, and the like should be fundamental parts of our hardware & software (which often get skipped due to overhead), and this appears to be further evidence of that.”

I am out of my depth but parity alone is insufficient.
While a single bit might be noticed double bit changes could go undetected in a byte.

What is needed is an ECC syndrome that allows correction in addition to detection.
A number of system data paths should have ECC and DRAM is one. Demand ECC
on all server hardware and ask for it on all desktop and laptops.

This is ugly because a one VM can inflict damage on another VM guest.
Pay for dedicated hardware.

Guest systems can read their own pages and build tables of syndrome data
that can be used to detect problems but perhaps not in the detection code… 🙁

The Row hammer bug has some solutions and local code changes to target
software like sshd/ssh could lower the risk.
https://en.wikipedia.org/wiki/Row_hammer
Pick quality hardware…
There are two defects leveraged here… either can be eliminated or minimized.

WhiskersInMenlo August 16, 2016 4:06 PM

@Terry Cloth
“I started using `she’ as a neutral pronoun …..”

What if we invented a pronoun “e”.
Saves ink and lowers character counts.

Something like:
E knows what I want.

I went to the bookstore and e was buying one of Bruce’s books for some cryptic reason.

yoshii August 16, 2016 4:57 PM

Quote: “Exploits have become so sophisticated and available to those “that know where to look” that I ponder the worth of using a computer any longer.”

Attribution: jojacvk • August 16, 2016 7:37 AM

jojacvk, I tend to agree with you about that. It really only takes reading a few articles and watching a few videos to come to that same prognosis.

I used to say, “computers are much better at changing information than storing it”.
But at this rate, all the data from input to output is turning into garbage potentially.

Of course, if we aren’t purists, we can still get work done, of course, using computers. But the exploits invented have a way of injecting uncertainty into the workflow.

And the input and outputs aren’t actually pure garbage yet. But what’s the point of going digital instead of analog if the digital noise level gets to be so high.

It may not matter if the noise levels are so small, but from a metadata (defined loosely) standpoint, if that metadata is used to implement horrible activities around the world and locally, that seems bad. Of course some currently use the metadata to prevent horrible activities around the world and locally, and that seems good, also. So, yes, the paradox is there until the whole medium changes.

Jessica B August 16, 2016 9:28 PM

according to regular poster @ianf, the issue with naming gender has already been solved. Legally and officially the word hen is the neutral pronoun, also useful if gender is actually unknown.
@ianf learnt this from Saga Noren whom explained this fact in episode 2 series 3 of television series The Bridge based in Malmo Sweden
True story

r August 16, 2016 9:41 PM

@Jessica B,

It all makes sense to me now.

Heshe must’ve been why somebody tried voting him off the I, land.

Nick P August 16, 2016 9:52 PM

@ Jessica

That’s Swedish. Then Greek I learned long ago has the neuter form. Taught me where an English word came from. (shudders) Unfortunately, we don’t have one here in U.S. that’s socially acceptable. Nobody is going to fix the root problem of English language having gender built-in. It’s either defy P.C. admonishment outright or use three words instead of one to appease them. I usually choose defiance given it’s usually an attempt by someone to exert power or superiority over me. Gotta remind them “I’m nobody’s bitch!” 😉

Wael August 16, 2016 10:03 PM

@Nick P, @Jessica,

I try to use a plural form or the gender-neutral, indefinite pronoun “one”. Makes it cumbersome times, but looks less clumsy than the s/he construct. Some textbook authors of late switch between he and she thougout the text.

Nick P August 16, 2016 10:10 PM

@ Wael

That’s what I was forced to use in college. I didn’t know it was a pronoun so much as an accepted standard. Funny side note: the video I linked was from The One. Too few options in pronouns to be a synchronicity, though. 😉

Wael August 16, 2016 10:27 PM

@Nick P,

You and your ESP! 🙂 I wonder where @Buck went! Since he took that email challenge from a link you provided, he disappeared! I hope all is well with “hen” — see! Can’t use plural or “one” in this situation, and it’s inappropriate to use “it”!

Clive Robinson August 17, 2016 3:53 AM

@ Nick P,

Nobody is going to fix the root problem of English language having gender built-in.

Actually you need to consider where english got the bad habit from… It inherited it from continental european languages. Some of which have gender for just about all inanimate objects that have been around for more than a hundred years or so.

But as Wael has pointed out there is “one” which has the downside of sounding pompous ie “One does not carry one’s bags…”. Or “they” which makes you sound detached or impersonal ie “they chose to press the big red button”. But few realise that along with “it” you can also use “that” both of which sound insulting ie “it did something it should not have!”, or “does that always scratch in public?”. Thus you can have an ambiguous “I guess that has put me on the list”, which can have the ambiguity removed by adding either a question “?” or exclamation “!” mark at the end of the sentance.

It’s all a matter of getting the real message across 0:)

Wael August 17, 2016 4:08 AM

@Them,

It’s fine only if you wish them all well. I’m not sure I share your sentiment 🙂

tyr August 17, 2016 4:58 AM

You can always use the contracted version of
s/he/it if you want to offend everyone while
appearing to be concerned about multigender
issues.

It is handy for labelling the PC toiletry
system “Sh*t Here” is less amibiguous.

Will August 17, 2016 5:25 AM

I am surprised that deduplication isn’t also widely used on desktop and mobile systems too. As Android’s Zygote hints, apps have a lot of duplicate writeable pages in them and a COW would be useful.

Given a desktop or mobile with deduplication, suddenly malicious Javascript in a webpage would be able to perform this attack too.

The paper focuses on attacking cryptographic data for maximum impact, but another wide easy attack surface is code pages. Very predictable contents, very profitable to flip a few bits and get a privileged service to run the mutated code.

ianf August 17, 2016 6:25 AM

@ J B – is that you, Jessica? It’s me, ianf.

Wrote Jessica B

[…] “Legally and officially the word hen is the neutral pronoun, also useful if gender is actually unknown.”

Provide that legal/ official reference, please. All I’ve seen are use cases that seem to be anchored in British idiom of “hen” = “chick” = “grrrl” (hen as in “hen party;” there are no girls anymore, they go straight from grrrls to women, and ~/whoami ianf to argue?) Then that hen flew the coop to Scandinavia.

Also saw one stupid TV “the times we live in” documentary in which a young Swedish mother elected to bring up her son (I think) as a truly genderless individual, so named it something neutral, referred to it as “hen,” dressed it up in unisex clothing, cut its hair in either-way fashion, and sent to a “genderless” primary school, presumably filled ONLY with equal eunuch-y children. I shriver at the thought of the level of aggro that that child will meet when it reaches real-life school age. The sole redeeming factor was that the British interviewer, who couldn’t wrap her head around the concept, sported impressive mammaries, a deuce in fact! This comes to mind:

David Brent: You do not punish Dutch, or any girls, for having big breasts.
Garreth Keenan: They should be rewarded.
D.B.: They should be equal, I always said so.

Continues Jessica […] “ianf [ALLEGEDLY] learnt this from Saga Noren who explained this fact in episode 2 series 3 of television series The Bridge based in Malmo Sweden
True story”

How so, “true?” I don’t recall ever writing about Saga N. in any personal pronoun context. Maybe you could point me to where I might have done so? (Alternatively, you can use the Clive Robinson’ian GoogleFigLeaf™, method, where, in lieu of coughing up a pointer, you INSTRUCT me in the ART of how to find it by searching this blog in Gurgle with the correct keywords. If Clive can, so can you).

CarpetCat August 17, 2016 10:40 AM

You know the world has gone mad when the politically correct tell you that your hard-earned self-sewn girlsuit isn’t gender neutral. All that kidnapping, for naught!

And now that I have annointed my(it)self in the pot of offtopicness (one of us, one of us) I(t) would like to encourage all ya all to get back to bit flipping talk and away from…from whatever else this is. Harumph.

Istvan Chung August 17, 2016 12:35 PM

This thread is quite disturbing to me. It seems to me that you would have had no problem with “he”, but cannot imagine the attacker being anything other than male. Being “anti-politically-correct” is hardly an excuse for this behavior.

r August 17, 2016 1:01 PM

@Istvan Chung,

While I understand your concerns, may we (royal, I) point out that a) It’s unlikely (consider the (lack of) penetration into the tech sector women actually have) and b) considering the saturation of men in the tech sector consider it a reflection of the ‘royal we’.

I’m not saying we(‘re) royalty, but it’s an english(?) statement of inclusion.

I wouldn’t actually consider it sexist (then again it may be and I’m biased as male), but the politically correct crowd (PC) may actually fixate on it – as a man I have no problems with people using ‘she’. We have at least one specific instance of that around here, so like I said – I think complaining about a simple genderized inclusive statement bourne out of the habit from the current ratio of male to female in the tech sector is a bit silly. But at least where I’m concerned please don’t take he or him as anything less than we/them/us/they, substitute what you want just please don’t sanitize/neuter our gender.

r August 17, 2016 1:03 PM

@Istvan Chung,

Another thing, at least during sometime in the recent past we refered to computers and robots in a female sense (she, her etc). Where are the arms against that sort of implied subjugation?

Nick P August 17, 2016 1:11 PM

@ tyr

That’s actually a good point. I forgot about that one. Is quick to type. Thanks.

@ Istvan

I have no problem with any of them. Even “he” doesn’t actually mean it’s a guy. The tradition is it’s used to mean an arbitrary person in one context, a guy in general in another, or a specific guy in another. My problem is when people (a) declare I must be sexist for using it the traditional way, (b) must use a specific alternative they constructed, and (c) shame or penalize me otherwise. Interesting enough, their own construct (he or she) is sexist given it implies sex is binary. I’m sure hermaphrodites enjoy that the leftists think they don’t exist or their gender identity is a solved problem. The subset of transgender people who view gender as a spectrum that they modify at will could be offended. The phrase meant to avoid “excluding people” actually excludes people itself by definition. They’ve also always dismissed this response instead of countered it logically by showing hermaphrodites or all transgender people are clearly one or other gender.

So, this P.C. stuff is all BS that’s usually one person or group A attempting to force other person or group B to follow their beliefs. To exert power over them. Many who will do this over alleged sexism in language will do it for many other topics. Censorship, rhetorical attacks, shaming, and going after people’s jobs is next step for more aggressive ones. We call them SJW’s. They preach tolerance of differences and fight the “intolerant,” but they don’t tolerate what’s different from them. Hence the strong resistance you see. Nice article here on their tactics.

Jessica B August 17, 2016 8:27 PM

@ ianf

@ J B – is that you, Jessica? It’s me, ianf.

interesting response

duckduckduckduckgo is a crap search engine. and it does a very poor job of searching the comments fields on this website. I can’t imagine it does much for privacy anyway but it’s what Bruce wants.

Anyway, for those whom don’t trust google and find other search engines inadequate or at risk of backdoors. Similar to what people do with crypto – using OTP etc – You can do what I do now and conduct all internet searches with a pencil and paper. It takes longer but it’s safer

Thus, I am not able to provide you a link to your own words on this site. You dont post much anyway so it would be hard to locate.

But the general gist was, a few people thought ‘The Bridge’ was crap, unrealistic, didn’t like the female protaganist, felt she would never be employed as a police officer etc. But you strongly disagreed, loved the show, pointed out a variety of components you related to and enjoyed, and tied them in with real world security etc, also highlighted the aptitude and uniqueness of Saga Noren.
That was it, in essence
and from there you went on to explain about ‘hen’ and how you learnt the word from the show – season 3 – it came up in an episode

J essica B. August 17, 2016 8:29 PM

@ ianf

@ J B – is that you, Jessica? It’s me, ianf.

interesting response,

duckduckduckduckgo is a crap search engine. and it does a very poor job of searching the comments fields on this website. I can’t imagine it does much for privacy anyway but it’s what Bruce wants.

Anyway, for those whom don’t trust google and find other search engines inadequate or at risk of backdoors. Similar to what people do with crypto – using OTP etc – You can do what I do now and conduct all internet searches with a pencil and paper. It takes longer but it’s safer

Thus, I am not able to provide you a link to your own words on this site. You dont post much anyway so it would be hard to locate.

But the general gist was, a few people thought ‘The Bridge’ was crap, unrealistic, didn’t like the female protaganist, felt she would never be employed as a police officer etc. But you strongly disagreed, loved the show, pointed out a variety of components you related to and enjoyed, and tied them in with real world security etc, also highlighted the aptitude and uniqueness of Saga Noren.
That was it, in essence
and from there you went on to explain about ‘hen’ and how you learnt the word from the show – season 3 – it came up in an episode.

Qoheleth August 21, 2016 4:20 PM

Cool derail.

Anyway, the original “rowhammer is a viable attack” Google blogpost mentions that there was already (as of early 2015) hardware available that makes rowhammer harder in practice. It’s in LPDDR4, Samsung was advertising it back in 2014, & so on. Sure, no guarantees, mitigation is all probabilistic. But even it’s harder = need to try a long time to make it happen = hypervisor can detect, right?

Disturbing, scary, but not intractable assuming people have been keeping up with the latest state of the art stormclouds. As with most attacks, it started off theoretical (Yoongu Kim @CMU in 2014), then became more (Project Zero attack) and more (this attack) practical.

Hence, gameplan same as always. Keep your defences up to date, and that includes hardware defences. Try to prevent, but also try to detect that your prevention has failed. & so on.

Best wishes.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.