Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Cloud Bug Debian Encryption Privacy Security Ubuntu

Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick (thestack.com) 73

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.

The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."
This discussion has been archived. No new comments can be posted.

Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick

Comments Filter:
  • by 0xdeaddead ( 797696 ) on Sunday August 14, 2016 @11:36AM (#52700077) Homepage Journal

    Remember when stuff like this broke here?

  • by zenlessyank ( 748553 ) on Sunday August 14, 2016 @11:48AM (#52700117)

    Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

    • Indeed. Superficially going all cloud looks great to accountants when there's less of an upfront cost...and then the bills come in...every...single...month. The whole point in investing in infrastructure is that you're responsible for your own security and that investment pays off over time. I've lost count of the number of startups who've gone bust because they couldn't pay their AWS bill - and they still don't learn, or where the money is to be made. More high-profile outfits like Netflix will find that o
    • Looks folks, I know you wanted to save cash for your trips to private islands and jet planes, but sometimes you just have to pony up. Trying to have your shit hosted on a 3rd party platform is foolish. There are more important things than saving a quick buck because you didn't want to buy infrastructure. Welp Too bad.

      This argument has been going on for a century (+?)

      Some bend and try to correct dangerous methods/behaviors and do fairly well. The others like to just watch satellite news on their jet or post-landing on their island and laugh at "those morons".

      Until there is no choice left, the choice is sense of entitlement / waste / fraud / lying^365 / laziness / unwillingness to be the first to adapt and look "weak" to the rest of the entitled.

      It isn't going to change until the pipelines ($) are wiped out and people ha

  • OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

    • OK, I get the deduplication part to save capacity. But aren't those deduped pages supposed to be treated in CoW manner?

      Waiting for the cow moos guy to chime in.

    • Re:I don't get it. (Score:5, Informative)

      by a_n_d_e_r_s ( 136412 ) on Sunday August 14, 2016 @12:58PM (#52700351) Homepage Journal

      Yes they use Copy on Write. But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

      So its really an escalation of a hardwarebug. So it its not restricted to Linux. Should be able to affect any software running on a multiuser system - regardless of operating system.

      Basically any insecure hardware system affected by Rawhammer are not safe to run multiuser software - since it can be used to manipulate the system.

      • Re:I don't get it. (Score:5, Informative)

        by Ungrounded Lightning ( 62228 ) on Sunday August 14, 2016 @07:07PM (#52701723) Journal

        But they use the hardware bug Rawhammer to flip bites without CoW being triggered.

        ROWhammer - "hammering on" the adjacent rows of the memory in the chip - by reading them repeatedly - which causes charge leakage and occasional bit flips in the adjacent row.

        Because the attacking process is only reading the beside-the-target rows, the OS doesn't think the memory is being changed and thus doesn't decombine the two processes' instance of the page.

        I'm surprised that the system is doing page recombine across multiple VMs. While it makes sense from a total resource standpoint (why should each VM have its own instance of a page of mostly-unchanging RAM?) it also makes performance vary more due to activity in other VMs - as well as opening the rowhammer vulnerability to cross-VM exploit.

  • FFS (Score:5, Funny)

    by TechyImmigrant ( 175943 ) on Sunday August 14, 2016 @12:17PM (#52700229) Homepage Journal

    FFS: I like these researchers. They know a good acronym when they see one.

  • by Billly Gates ( 198444 ) on Sunday August 14, 2016 @02:13PM (#52700669) Journal

    Windows 7/OpenBSD/MacOSX/Server 2008 R2 and later use virtual ram addresses that are scrambled to prevent this and injections. This is one of the oldest cracker techniques in the book after buffer overflows. Linux doesn't have this?

    • Re:ASLR (Score:4, Informative)

      by Anonymous Coward on Sunday August 14, 2016 @04:26PM (#52701191)

      Linux doesn't have [ASLR]?

      *cough*
      https://en.wikipedia.org/wiki/Row_hammer
      *cough*

      1) Linux has ASLR.
      2) ASLR can't do shit for this, not when it's hammering within an already-allocated block.

      "The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability."

      Randomization of accesses _within_ an allocated block would be next-level shit... stuff that would have a _large_ perf hit and that no widely-used OS does. It's still not clear that that would mitigate Rowhammer... just make it a bit more difficult.

    • by tpgp ( 48001 ) on Sunday August 14, 2016 @05:20PM (#52701397) Homepage

      OK, I know you're trolling, but in case anyone is stupid enough to believe you:

      From Wikipedia's ASLR page: [wikipedia.org]

      History

      The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001. It is seen as the most complete implementation, providing also kernel stack randomization since October 2002. Compared to other implementations, it is also seen to provide the best layout randomization.

    • by skids ( 119237 )

      TLDR for those who think ASLR protects against this: de-duplication essentially makes all the shared VM RAM into a rather slow content-addressed storage. All you need to know is the content of the page you want to alter, not the address. The authors note that THPs are used to anchor multiple consecutive rows on the attacking VM to consecutive DRAM rows, and after finding a rowhammer bit flip template, fill the victim page with the known content, wait for dedupe, and then hammer the bit flip in gain. KSM

  • Except against laptops, that is often easy as they use too slow refresh-cycles to safe power. That makes rowhammer very easy.

    But I have yet to find a credible example of it working _at_ _all_ against correctly refreshed memory.

  • how does this work (Score:4, Insightful)

    by samantha ( 68231 ) * on Sunday August 14, 2016 @10:16PM (#52702375) Homepage

    How does the attacker know what memory pages are what in the targets VM space? That seems like quite a trick. Or is Amazon sharing various pages among all machines that are known to the public somehow? I am not a cracker myself so I don't really get how the attacker has this information.

All this wheeling and dealing around, why, it isn't for money, it's for fun. Money's just the way we keep score. -- Henry Tyroon

Working...