Flip Feng Shui: Hammering a Needle in the Software Stack

We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page’s contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page. We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.

[1]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[2]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[3]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Christof Fetzer,et al.  HAFT: hardware-assisted fault tolerance , 2016, EuroSys.

[5]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[6]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Shekhar Y. Borkar,et al.  Designing reliable systems from unreliable components: the challenges of transistor variability and degradation , 2005, IEEE Micro.

[9]  Weichao Wang,et al.  Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines , 2011, 30th IEEE International Performance Computing and Communications Conference.

[10]  Jean-Pierre Seifert,et al.  On authenticated computing and RSA-based authentication , 2005, CCS '05.

[11]  Gorka Irazoqui Apecechea,et al.  Know Thy Neighbor: Crypto Library Detection in Cloud , 2015, Proc. Priv. Enhancing Technol..

[12]  Donald E. Knuth,et al.  Analysis of a Simple Factorization Algorithm , 1976, Theor. Comput. Sci..

[13]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[14]  Thilo Kielmann,et al.  Prebaked µVMs: Scalable, Instant VM Startup for IaaS Clouds , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems.

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  T. Mandt,et al.  Kernel Pool Exploitation on Windows 7 , 2011 .

[17]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Idit Keidar,et al.  CSR: Core Surprise Removal in Commodity Operating Systems , 2016, ASPLOS.

[19]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[20]  Yvo Desmedt,et al.  The Eurocrypt '92 Controversial Issue: Trapdoor Primes and Moduli (Panel) , 1992, EUROCRYPT.

[21]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[22]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[23]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[24]  Purushottam Kulkarni,et al.  Share-o-meter: An empirical analysis of KSM based memory sharing in virtualized systems , 2013, 20th Annual International Conference on High Performance Computing.

[25]  Prateek Sharma,et al.  Singleton: system-wide page deduplication in virtual environments , 2012, HPDC '12.

[26]  Cristian Constantinescu,et al.  Trends and Challenges in VLSI Circuit Reliability , 2003, IEEE Micro.

[27]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[28]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[29]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[31]  Christophe Clavier,et al.  Why One Should Also Secure RSA Public Key Elements , 2006, CHES.

[32]  K. Dickman On the frequency of numbers containing prime factors of a certain relative magnitude , 1930 .

[33]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[34]  Arjen K. Lenstra,et al.  Factorization of a 768-Bit RSA Modulus , 2010, CRYPTO.

[35]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[36]  Benny Pinkas,et al.  Side Channels in Cloud Services: Deduplication in Cloud Storage , 2010, IEEE Security & Privacy.

[37]  Thomas R. Gross,et al.  CAIN: Silently Breaking ASLR in the Cloud , 2015, WOOT.

[38]  P. Erdös,et al.  The Gaussian Law of Errors in the Theory of Additive Number Theoretic Functions , 1940 .

[39]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[40]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[41]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.