New Cloud Attack Takes Full Control of Virtual Machines With Little Effort (arstechnica.com) 34
C3ntaur writes: The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment. Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit. Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer. The research paper titled "Flip Feng Shui: Hammering a Needle in the Software Stack" can be read here.
Overhyped (Score:3)
For SSH, since you can only flip one bit, you have to already know the public key you want to exploit, find a easily factorizable key one bitflip away, then get the host to dedup. So no, this wont allow somebody to hack into arbitrary servers, only if there's already been data exfiltrated.
Re: Overhyped (Score:2)
You mean like from an Amazon E3 or Azure VM
Re: (Score:2)
That'd still require them to breach Amazon.
Announced 2 weeks ago?? (Score:2)
Bit late to the party /.
How many VMs have already been compromised?
Re: (Score:2)
Hardly any. Unless you're an idiot posting your public key everywhere or reusing a key, there's zero chance of this happening to you.
Re: (Score:2)
What does that have to do with this attack?
Re: Announced 2 weeks ago?? (Score:3)
He's pointing out by example that the whole purpose of a public key is to be distributed to other parties, and that doing so is safe due to the inability* to infer the private key through factorisation. Bit flipping a properly formed key Kpub is highly likely to result in an easily factored "key" K'pub for which the private key K'priv can be trivially derived.
Re: Announced 2 weeks ago?? (Score:2)
And? That have no effect on being able to forge a PGP message.
Defective RAM is defective (Score:4, Interesting)
Rowhammer in all its incarnations is not the problem. If you are vulnerable to such attacks it is because your RAM is defective. Can we stop pretending this is an exploit we need elaborate schemes to protect against and just call it what it is: A crappy products that need to be replaced from manufacturers that need to be held accountable for it.
Don't trust the cloud (Score:1, Insightful)
Cloud services are a thunderstorm of shit waiting to fall on your head.
Testing for rowhammer? (Score:2)
Aren't modern servers tested for rowhammer?
My HP Integrity's offline diagnostics does three hammering tests, and will fail the diag if even a single read does not match what it should - and this is on a machine nearly 10 years old (though the diag disc is from 2012).
Re: (Score:2)
No doubt, as you're hammering on DRAM cells the size of small battleships.
It's a whole different matter when your DRAM cells have their little button noses pressed up against the scaling wall.
Re: Testing for rowhammer? (Score:2)
It's a bug in implementation. Not low quality hardware as this is designed to share ram like a pointer
Good name choice (Score:1)
Not that easy (Score:5, Interesting)
It's an interesting idea and nicely carried out, but in the real world I doubt this is of much concern. For the attack to be successful, all of the following must hold
1. memory susceptible to rowhammer attack (in itself not trivial - only few and given memory locations can be flipped)
2. VM manager merges physically identical pages of unrelated VMs (i.e., the identical memory pages of different VMs point to the same physical page)
3. attacker VM must know the contents of the page in the victim VM
4. attacker must register a page with the to-be-attacked contents before the victim VM does so that it can somewhat control its physical location and use rowhammer on it
Especially #3 is not easy. In the paper, the authors assume they know all SSH authorized keys of the victim page which seems a bit far-fetched. Pages holding OS contents are easier to guess; I think an attack on those is more probable.
Also, the fix is trivial. Don't buy cheap RAM that can be attacked with rowhammer for your data centers.
Re: (Score:1)
The majority of the VMware and KVM environments I've seen (ranging in scale from small private deployments to extremely large "enterprise" environments) have hypervisor level memory deduplication enabled. This has been the norm for years now. -PCP
Re: (Score:2)
VMware has shipped with hypervisor-level memory deduplication off by default since 2014 [vmware.com], precisely because of this style of attack.
Being secure against this sort of attack has been the norm for years now.
Re: (Score:2)
Shared virtual machine images (Score:2)
3. attacker VM must know the contents of the page in the victim VM
Not that hard... Often people will use a public virtual machine image for database server, proxy, load-balancer, or container host. I'm sure coreos is rarely customized, I see few reasons to do. It's often neat to attach extra disks and use cloud-init to configure VMs, rather than building custom VMs.
And even if you do build custom VMs, you're often basing it of some official VM.
Re: (Score:2)
For the attack to be successful, all of the following must hold...
And yet, the old NSA saying that "attacks only get better, they never get worse", is an apt reminder. While it may not be practical today, it was just made more practical. Whatever happens next, the attack will not get worse. Expect people to work at all the listed limitations, and who knows...
So, even if there isn't reason to suspect a full blown jump-out-of-the-windows fire just yet, there's a definite smell of smoke in the air.
Cloud Attack (Score:1)
Is this "I told you so" week? (Score:2)
A while ago a popular VM hosting application used to tell everyone on a splash screen on startup that Virtual Machines are not a security feature.
If you want security you use something designed for it - chroot, zones, "containers" - plenty of choice.
How safe or Azure and Amazon clouds (Score:2)
Many and mean corporations are moving to the cloud or already there.