Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.
The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."

Saw this on the register

[0xdeaddead]

Remember when stuff like this broke here?

Re:Saw this on the register

[pregister]

No.

Host Your Own. Cloud Experiment Is A Fail.

[zenlessyank]

Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

Re:

[segedunum]

Indeed. Superficially going all cloud looks great to accountants when there's less of an upfront cost...and then the bills come in...every...single...month. The whole point in investing in infrastructure is that you're responsible for your own security and that investment pays off over time. I've lost count of the number of startups who've gone bust because they couldn't pay their AWS bill - and they still don't learn, or where the money is to be made. More high-profile outfits like Netflix will find that o

Re:

[segedunum]

As soon as you start running servers 24x7 the cloud gets very, very expensive....each and every month. When you have control over your own infrastructure that progressively gets cheaper. over time

I can also rent a server or a VPS from a decent service provider cheaper, get more performance out of it and have proper support as opposed to AWS's "You might get your EBS snapshots back in a couple of days".

The only ones that prefer it in house are the IT folks that sit on their asses all day ignoring the phone.

Get used to being ignored by your cloud provider. You were stupid enough to give your company to an exte

Re:

[segedunum]

Hilarious, but that response is not untypical as they thrash around trying to justify their own stupid decisions. You can't inform me of the 'wrong' in my post.....because you simply can't.

It does cost a bit more but you can do more.

Everything I did in AWS I could do elsewhere - and more flexibly too, and at an ever decreasing monthly cost.

But yeah dumbarses can really screw it up if they still keep thinking In terms of tin

Yer, tin has always been a problem for me!

Re:

[poofmeisterp]

Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

This argument has been going on for a century (+?)

Some bend and try to correct dangerous methods/behaviors and do fairly well. The others like to just watch satellite news on their jet or post-landing on their island and laugh at "those morons".

Until there is no choice left, the choice is sense of entitlement / waste / fraud / lying^365 / laziness / unwillingness to be the first to adapt and look "weak" to the rest of the entitled.

It isn't going to change until the pipelines ($) are wiped out and people ha

I don't get it.

[krtek]

OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

Re:

[TechyImmigrant]

What makes you think SECDED will protect against row hammer that can flip multiple bits and the linear compensation for the check digits can be computed?

Re:

[guruevi]

ECC does not always detect these issues. There are a number of other mitigating techniques with variable success. Whether or not this technique/exploit is useful at all in the wild is another thing.

Re:

[jedidiah]

...or just be a little less of a cheapskate. Terms like "server" and "desktop" are entirely arbitrary.

Re: I don't get it.

[bestweasel]

Except servers are often very noisy.

Re:

[ArmoredDragon]

I just bought a dell T20 for my home lab and it's even quieter than my desktop. It has all of the usual server features, including ECC.

Re:

[RavenLrD20k]

I can (and have) build a Xenon Server that's extremely quiet and awesomely powerful for about $2700-$2800. That's with Dual Xenon Hex-cores, 64 GB RAM with ECC, 128 GB SSD, and 12 TB of HDD space (before applying RAID). Off of that one physical server, I can easily run 10 separate virtual servers (2 of which I have mimicking a Mainframe through the use of Hercules for the High Volume Data churn that MVS can handle) allowing me to have in-house access to development, testing, and model environments before

Re: I don't get it.

[bestweasel]

It's clearly possible to design a quiet server but it's not usually a major criterion. I was thinking of someone who decides they want to buy one and ends up with something made for a data centre, where pulling air through it is the major concern and noise isn't a factor. Put one of those in an office or even a workshop and you'll soon wish you hadn't.

Re:

[krtek]

This is where the rowhammer vulnerability comes in.

Ah, then it suddenly starts making sense. Thanks.

Re:

[Intron]

This is not a practical vulnerability in the field. It depends on knowing when a page is de-duped, its physical address, and the DRAM layout. Any address space randomization will defeat it.

Re:

[skids]

This is where you get told to RTFA. It's a very good FA, including statistical analyses of success probabilities.
 

Re:

[Intron]

I did. They say "it is unclear" meaning they don't know of any way to exploit this in the real world where ECC is used. Their chart gives probability of success AFTER assuming they can flip a bit in a specific key file.

Re:

[Intron]

Q: Does Amazon EC2 use ECC memory?

In our experience, ECC memory is necessary for server infrastructure, and all the hardware underlying Amazon EC2 uses ECC memory.

Most cloud vendors would not be vulnerable to this hack.

Re:

[Intron]

Bull. Try checking facts.
http://googleprojectzero.blogs... [blogspot.com]

Re:

[TechyImmigrant]

OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

Waiting for the cow moos guy to chime in.

Re:I don't get it.

[a_n_d_e_r_s]

Yes they use Copy on Write. But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

So its really an escalation of a hardwarebug. So it its not restricted to Linux. Should be able to affect any software running on a multiuser system - regardless of operating system.

Basically any insecure hardware system affected by Rawhammer are not safe to run multiuser software - since it can be used to manipulate the system.

Re:I don't get it.

[Ungrounded Lightning]

But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

ROWhammer - "hammering on" the adjacent rows of the memory in the chip - by reading them repeatedly - which causes charge leakage and occasional bit flips in the adjacent row.

Because the attacking process is only reading the beside-the-target rows, the OS doesn't think the memory is being changed and thus doesn't decombine the two processes' instance of the page.

I'm surprised that the system is doing page recombine across multiple VMs. While it makes sense from a total resource standpoint (why should each VM have its own instance of a page of mostly-unchanging RAM?) it also makes performance vary more due to activity in other VMs - as well as opening the rowhammer vulnerability to cross-VM exploit.

Re:

[TechyImmigrant]

It is "just" a rowhammer based attack. It the RAM is defective, it should be replaced.

It's a how to guide for how to use the rowhammer attack to do real damage.

Re:

[gweihir]

It is. But AFAIK rowhammer has only be demonstrated against laptops. Laptops often have slowed-down refresh cycles to conserve power. That is what makes rowhammer possible in the first place.

FFS

[TechyImmigrant]

FFS: I like these researchers. They know a good acronym when they see one.

Re:

[segedunum]

That is probably the funniest thing I've ever read.

Re:

[jedidiah]

You only have to give source to those people you give the binaries to.

Unless you're giving your precious binaries to your competitors, you don't have to give them the source either.

As far as that bit about gcc goes, that's just pure bullshit and no self respecting lawyer attach his name to it.

Re:

[Billly Gates]

You forgot the $799 per core SCO licensing in your email

Just because the article is about FFS ...

[daboochmeister]

... doesn't mean you have to try to elicit that response from us.

ASLR

[Billly Gates]

Windows 7/OpenBSD/MacOSX/Server 2008 R2 and later use virtual ram addresses that are scrambled to prevent this and injections. This is one of the oldest cracker techniques in the book after buffer overflows. Linux doesn't have this?

Re:ASLR

[Anonymous Coward]

Linux doesn't have [ASLR]?

*cough*
https://en.wikipedia.org/wiki/Row_hammer
*cough*

1) Linux has ASLR.
2) ASLR can't do shit for this, not when it's hammering within an already-allocated block.

"The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability."

Randomization of accesses _within_ an allocated block would be next-level shit... stuff that would have a _large_ perf hit and that no widely-used OS does. It's still not clear that that would mitigate Rowhammer... just make it a bit more difficult.

Re:

[CRC'99]

You just fail to understand the problem that has nothing to do with ASLR. Please read about virtual machines and memory de-duplication.

... and is exactly why you don't deduplicate RAM when hosting VMs...

Re:

[daboochmeister]

> ... and is exactly why you don't deduplicate RAM when hosting VMs..

If their servers were properly configured with ECC RAM that halted the system when it encountered an error, this would not be a security issue.

Well ... except as a DoS attack, of course.

Linux FIRST to implement ASLR.

[tpgp]

OK, I know you're trolling, but in case anyone is stupid enough to believe you:

From Wikipedia's ASLR page: [wikipedia.org]

History

The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001. It is seen as the most complete implementation, providing also kernel stack randomization since October 2002. Compared to other implementations, it is also seen to provide the best layout randomization.

Re:

[skids]

TLDR for those who think ASLR protects against this: de-duplication essentially makes all the shared VM RAM into a rather slow content-addressed storage. All you need to know is the content of the page you want to alter, not the address. The authors note that THPs are used to anchor multiple consecutive rows on the attacking VM to consecutive DRAM rows, and after finding a rowhammer bit flip template, fill the victim page with the known content, wait for dedupe, and then hammer the bit flip in gain. KSM

Has anybody demonstrated rowhammer in the wild?

[gweihir]

Except against laptops, that is often easy as they use too slow refresh-cycles to safe power. That makes rowhammer very easy.

But I have yet to find a credible example of it working _at_ _all_ against correctly refreshed memory.

how does this work

[samantha]

How does the attacker know what memory pages are what in the targets VM space? That seems like quite a trick. Or is Amazon sharing various pages among all machines that are known to the public somehow? I am not a cracker myself so I don't really get how the attacker has this information.