[Cryptography] "Flip Feng Shui: Hammering a Needle in the Software Stack"
Bart Preneel
bart.preneel at esat.kuleuven.be
Fri Sep 2 12:37:34 EDT 2016
On Fri, 2 Sep 2016, Florian Weimer wrote:
> * Jerry Leichter:
> "We introduce Flip Feng Shui (FFS), a new exploitation vector which
> allows an attacker to induce bit flips over arbitrary physical memory
> in a fully controlled way. FFS relies on hardware bugs to induce bit
> flips over memory and on the ability to surgically control the
> physical memory layout to corrupt attacker-targeted data anywhere in
> the software stack.... Memory deduplication allows an attacker to
> reverse-map any physical page into a virtual page she owns as long as
> the pageÿÿs contents are known. Rowhammer, in turn, allows an attacker
> to flip bits in controlled (initially unknown) locations in the target
> page.
>
> We show FFS is extremely powerful: a malicious VM in a practical cloud
> setting can gain unauthorized access to a co-hosted victim VM running
> OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH
> public-key authentication, and forging GPG signatures from trusted
> keys, thereby compromising the Ubuntu/Debian update mechanism."
>
> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
Why bother with patching public keys, making them amenable to
factorization, if you can patch executable code instead?
If you can target executable code (and I see why not, it's all the
same to KSM), it is very clear that there cannot be a software-only
defense. (The authors try to frame this as a software problem which
needs fixes in GnuPG etc.)
Comment:
Rowhammer can indeed target executable code, but corrupting a public key
is more attractive for an attacker:
- Rowhammer can only flip a bit in a certain memory region but not in a
specific memory location. Flipping any bit of a public key will lead
to compromise, which is not the case for code.
- Finding out which bits are useful to flip in executable code
typically requires manual work through reverse engineering (and this
work has to be repeated for every binary).
While protecting public keys with error detection codes is only a partial
solution, it is an easy thing to do that raises the barrier.
On the other hand, protecting the complete code brings a large overhead.
-Bart Preneel
More information about the cryptography
mailing list