Notes techniques

Site Tools



Home > readingnotes > DeduplicateBitFlipFengShui | About

First spotted on : http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/

Notes

From arstechnica

The attacker VM then uses what the researchers call Deduplication Flip Feng Shui to induce a bit flip in a specific part of the public key. The flip, in turn, creates a new public key that's weak enough to be factored so that attackers can derive the corresponding private key. In other words, the Rowhammer attack tricks the target VM into accepting a new public key and gain unauthorized SSH access because they have the private key.

From theregister

The attack, dubbed Flip Feng Shui, works by spinning up a virtual machine on a Linux-powered host, and filling a page of memory in the VM with data that's identical to a page in the victim's virtual machine.

So now you have two pages in the host's memory that are the same. Then along comes Linux's Kernel Samepage Merging feature, which deduplicates the two pages into one, so only one copy is physically held in the host server's RAM, but it still appears in each VM's memory map.

The next stage is to run a Rowhammer attack. This technique, demonstrated by Google engineers last year, involves rapidly writing and rewriting data to flip bits in adjacent memory locations. This works by forcing capacitor errors in the DRAM chips, and is successful even in newer DDR4 RAM sticks [PDF].

Using the Flip Feng Shui technique [PDF], the researchers successfully spammed the memory near the aforementioned deduplicated page in one virtual machine to flip the bits in the other guest machine. By doing this, they were able to weaken OpenSSH keys in Debian and Ubuntu systems.

Questions :

  1. Does the attacker change the victime's RAM from his own VM ?
  2. How does he do so ?

contact : @ychaouche yacinechaouche at yahoocom