Flip Feng Shui: Advanced Rowhammer exploitation on cloud, desktop, and mobile

Presented at Still Hacking Anyway (SHA2017), Aug. 6, 2017, 1:20 p.m. (60 minutes)

In 2016, the VUSec system security group from Vrije Universiteit Amsterdam published three top-notch research papers on the topic of Rowhammer exploitation, leading to international media attention and even a prestigious PWNIE award. In this talk, we present key concepts of our research and provide an introduction to Rowhammer exploitation to the public. We describe how attackers can use the Flip Feng Shui exploitation vector to reliably attack cloud, desktop, and mobile platforms. #DeviceSecurity Rowhammer is a hardware bug that allows attackers to manipulate data in memory without accessing it. More specifically, by reading many times from a specific memory location, somewhere else in memory a bit may flip: a one becomes a zero, or a zero becomes a one. Our recent exploits are instances of Flip Feng Shui (or FFS) - a novel exploitation vector that allows an attacker to compromise system software with high reliability, even if recently proposed software defenses are in place. Flip Feng Shui relies on 1) predictable memory management behavior and 2) reproducible bit flips in the memory subsystem. Perhaps surprisingly, we found that both requirements are quite common in devices that we use today as we were able to identify primitives on desktop, cloud, and mobile platforms. We show that Flip Feng Shui is extremely powerful: we compromise Microsoft Edge in a desktop setting (known as <i>Dedup</i>), OpenSSH and apt-get in the cloud (known as </i>Flip Feng Shui</i>), and ultimately build a sophisticated attack that can root Android devices from an untrusted app (<i>Drammer</i>). None of our attacks rely on any software vulnerability. Besides technical details, we will show (recored, sorry) demos for each exploit and also detail stories on the responsible disclosure process.

Presenters:

• Kaveh Razavi
  Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently mostly interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. His recently publicized work include reliable Rowhammer exploitation in the browsers, clouds and mobile phones which won two distinguished awards. His recent AnC cache attack significantly compromises ASLR in the browser. Previously, he has been part of a CERT team specializing in operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich and a PhD from Vrije Universiteit Amsterdam.
• Victor van der Veen
  Victor (as PhD candidate) and Kaveh (as PostDoc) are part of the VUSec group at Vrije Universiteit Amsterdam. Prior to their joint efforts on Rowhammer exploitation research, Victor worked on novel techniques to protect applications against code-reuse (ROP) attacks, while Kaveh built large-scale systems prototypes for clouds and data centers. They both published at all the top-tier venues in their field: Security & Privacy (Oakland), USENIX Security, CCS, NDSS, SIGCOMM and Supercomputing but also presented their work at industrial conferences like Black Hat and Hack in the Box.

Links:

• https://program.sha2017.org/events/95.html

Similar Presentations:

• Black Hat Europe 2016 / Flip Feng Shui: Rowhammering the VM's Isolation
• Black Hat USA 2018 / Another Flip in the Row
• 33C3 (2016) / Memory Deduplication: The Curse that Keeps on Giving: A tale of 3 different memory deduplication based exploitation techniques