Rowhammer Attack Hits Linux VMs

Tuesday, August 16, 2016 @ 04:08 PM gHale


There is a new version of the Rowhammer attack that can compromise Linux VMs, often used for cloud hosting services.

The Rowhammer attack ended up discovered two years ago when researchers disclosed it because it showed by bombarding a row of memory cells, an attacker could reverse binary zeros into ones and vice versa.

RELATED STORIES
Trojan Searches for Specific File Types
Trojan Goes Cryptocurrency Mining
Trojan in Google Play Android Apps
APT Targets Energy, Pharma Industries

This allowed an attacker to manipulate a computer’s memory just by using malware that constantly hammered a row of memory cells, which flipped their bits and influenced nearby memory cells into flipping their bits as well.

The initial attack was successful against DDR3 memory, but last year, researchers proved it was also effective against DDR4.

Things took a turn for the worse when researchers demoed Rowhammer attacks via JavaScript, meaning attackers could compromise a computer’s memory via the Internet.

Previously, in May 2016, researchers from Vrije University in the Netherlands executed a Rowhammer attack against the Edge browser on Windows 10, using a memory deduplication side-channel attack that allowed them to take over the browser and even the OS.

The same team who carried out that research, presented at the 37th IEEE Symposium on Security and Privacy, returned with a new variation of this attack they presented last week at the Usenix Security Symposium.

Called Flip Feng Shui (FFS), this is another variation on the Rowhammer attack that works in conjunction with memory deduplication, a process through which some operating systems free memory slots by finding duplicate entries and merging them together.

In their research called “Flip Feng Shui: Hammering a Needle in the Software Stack,” the researchers detail Rowhammer attacks on Linux cloud servers.

The attack is almost the same as the Edge scenario, only it’s carried out on the memory of a shared Linux-based virtual machines.

The researchers claim an attacker can buy access to cloud servers co-hosted with their victim, and using an FFS Rowhammer attack, they can gain control of the victim’s accounts despite the complete absence of software vulnerabilities.

Because the attacker shares the server with the victim, they can carry out Rowhammer attacks unabated, targeting and creating memory cells selected by the Linux memory deduplication system (KSM). KSM will join these memory cells together, usually into the attacker’s memory slot.

“At this stage, FFS already provides the attacker with templated bit flips over the victim’s physical memory pages with known (or predictable) contents,” the researchers said. “The exploitation surface is only subject to the available templates and their ability to reach interesting locations for the attacker.”

According to the researchers, this is easy. For their paper, they carried out two proof-of-concept attacks that allowed them to contaminate RSA public keys by one bit, which enabled them to establish SSH connections to the victim’s machine, or modify its APT sources and trick the user into installing malicious APT packages.

In their work, the attackers successfully targeted Debian and Ubuntu systems. Both projects are aware of the issues.