Flip Feng Shui: Rowhammering the VM's Isolation

Presented at Black Hat Europe 2016, Nov. 3, 2016, 10 a.m. (60 minutes)

We show how an attacker virtual machine (VM) can induce Rowhammer bit flips over memory used by another VM on the same host even under strong hardware-enforced memory isolation in a "fully controlled way". In many cloud settings, memory deduplication is used to reduce the memory footprint of VMs significantly by keeping a single copy of multiple memory pages with the same contents. The memory deduplication process scans the memory periodically to find memory pages with the same contents, then keeps one copy in the physical memory (i.e., the primary page) and releases the copies to the system. We show that by guessing the contents of a target page in a victim VM, an attacker VM can easily control the primary page, or in other words, the location of the victim's memory page on physical memory. By placing the victim page on a physical memory location with the right vulnerable bit offset, determined in the first stage of our exploit, we can perform a reliable and deterministic Rowhammer across VMs. We used this new technique, named flip feng shui, to corrupt the page cache of a victim VM hosting RSA public keys. We exemplify end-to-end attacks (a) breaking OpenSSH public-key authentication, thereby allowing remote OpenSSH access using a newly generated private key, and (b) forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian updating mechanism, all without relying on any software vulnerability. Unlike other Rowhammer-based cryptographic fault attacks, ours is quite practical: it does not make any assumption on the environment nor requires the knowledge of the CPU's memory addressing function. We discuss practical defenses against flip feng shui attacks at the end.<br>

Presenters:

• Kaveh Razavi - Dr., Vrije Universiteit Amsterdam
  Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently mostly interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich and a PhD from Vrije Universiteit Amsterdam.
• Herbert Bos - Prof. Dr., Vrije Universiteit Amsterdam
  Herbert Bos is a professor of Systems and Network Security at Vrije Universiteit Amsterdam in the Netherlands. Coming from a systems background, he drifted into security a few years ago and never left. Even so, he still does not understand crypto, and hides this by saying that he prefers to stay on the systems' side of security. He obtained a Ph.D. from Cambridge University Computer Laboratory (UK) and is very proud of his (ex-)students.
• Erik Bosman - M.Sc., Vrije Universiteit Amsterdam
  Erik Bosman is a PhD student in the Systems and Network Security group at the Vrije Universiteit Amsterdam in the Netherlands. He is currently working on novel side-channel attacks for leaking sensitive information from the OS and applications. He has previously developed Signal Return-Oriented Programming, a highly portable exploitation technique that abuses signal frames for creating a weird machine that the attackers can program. His minemu system is the world fastest dynamic taint-tracker that can be used to protect binaries against memory corruption attacks.
• Cristiano Giuffrida - Dr., Vrije Universiteit Amsterdam
  Cristiano Giuffrida is an Assistant Professor in the Computer Science Department of the Vrije Universiteit Amsterdam. His research interests span across most aspects of systems security and reliability, including software security, side channels, and binary and malware analysis. He received a PhD cum laude from the Vrije Universiteit Amsterdam in 2014. He was awarded the Roger Needham Award at EuroSys and the Dennis M. Ritchie Award at SOSP for the best PhD dissertation in Computer Systems in 2015 (Europe and worldwide).
• Ben Gras - M.Sc., Vrije Universiteit Amsterdam
  Ben Gras has been part of the systems security research group at the Vrije Universiteit Amsterdam since 2015. Previously, he was a scientific programmer working on the Minix operating system under Andy Tannenbaum for 10 years.
• Bart Preneel - Prof. Dr., Katholieke Universiteit Leuven
  Prof. Bart Preneel is professor at the KU Leuven in Belgium. He heads the COSIC research group, that is a member of the iMinds research center. He has a background in electrical engineering and wrote a PhD thesis on cryptographic hash functions. In addition to crypto, he is interested in system security and privacy and in the policy aspects of these fields.

Links:

• https://www.blackhat.com/eu-16/briefings/schedule/#flip-feng-shui-rowhammering-the-vms-isolation-4878
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Flip Feng Shui - Rowhammering the VM's Isolation.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Flip Feng Shui - Rowhammering the VM's Isolation.eng.srt (subtitles)
• https://www.youtube.com/watch?v=0Nrpc1IOarI

Similar Presentations:

• Black Hat Europe 2015 / Silently Breaking ASLR in the Cloud
• Still Hacking Anyway (SHA2017) / Flip Feng Shui: Advanced Rowhammer exploitation on cloud, desktop, and mobile
• 33C3 (2016) / Memory Deduplication: The Curse that Keeps on Giving: A tale of 3 different memory deduplication based exploitation techniques