New cloud attack takes full control of virtual machines with little effort

Existing crypto software “wholly unequipped” to counter Rowhammer attacks.

Enlarge

The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.

Read 10 remaining paragraphs | Comments

DRAM bitflipping exploits that hijack computers just got easier

Approach relies on already installed code, including widely used glibc library.

(credit: An-d)

New research into the "Rowhammer" bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers.

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what's known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven't been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks.

As Ars has previously reported, Rowhammer exploits physical weaknesses in certain types of DDR memory chips to reverse the individual bits of data they store. By repeatedly accessing small regions of memory many times per second, code can change zeroes to ones and vice versa in adjacent regions. These changes occur even though the exploit code doesn't access, and doesn't have access rights to, the adjacent regions. The bug took on the name Rowhammer, because when the code figuratively clobbers one or more rows of memory cells, it causes bitflips in a neighboring cell.

Read 9 remaining paragraphs | Comments

Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”

New research finds “bitflipping” attacks may pose more risk than many admit.

Researchers were able to reproduce bit-flipping attacks on Crucial Ballistix DDR4 DIMMs like those shown here.

Physical weaknesses in memory chips that make computers and servers susceptible to hack attacks dubbed "Rowhammer" are more exploitable than previously thought and extend to DDR4 modules, not just DDR3, according to a recently published research paper.

The paper, titled How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware, arrived at that conclusion by testing the integrity of dual in-line memory modules, or DIMMs, using diagnostic techniques that hadn't previously been applied to finding the vulnerability. The tests showed many of the DIMMs were vulnerable to a phenomenon known as "bitflipping," in which 0s were converted to 1s and vice versa. The report was published by Third I/O, an Austin, Texas-based provider of high-speed bandwidth and super computing technologies. The findings were presented over the weekend at the Semicon China conference.

"Based on the analysis by Third I/O, we believe that this problem is significantly worse than what is being reported," the paper warned. "And it is still visible on some DDR4 memory modules."

Read 11 remaining paragraphs | Comments

DRAM “Bitflipping” exploit for attacking PCs: Just add JavaScript

Once-esoteric hack that exploits DRAM weakness just got more mainstream.

In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.

The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.

Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.

Read 5 remaining paragraphs | Comments