flip feng shui hammering a needle in the software stack
play

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras - PowerPoint PPT Presentation

Apr 07, 2024 •264 likes •721 views

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart Preneel 1 Cristiano Giuffrida Herbert Bos August 10, 2016 1 Teaser OpenSSH compromise apt-get compromise by GPG signature forgery No

  1. Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart Preneel 1 Cristiano Giuffrida Herbert Bos August 10, 2016 1

  2. Teaser ◮ OpenSSH compromise ◮ apt-get compromise by GPG signature forgery ◮ No software bug ◮ Weak assumptions ◮ Demo! 1

  3. Contribution Flip Feng Shui is a novel exploitation structure ◮ Hardware glitch ◮ Memory massaging primitive Makes the glitch ◮ Easy to target precisely ◮ Reliable We demonstrate FFS = Rowhammer + Memory Deduplication 2

  4. Outline Flip Feng Shui At Work 3

  5. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics 4

  6. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack 5

  7. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack GPG/APT Updates Attack Demo 6

  8. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack GPG/APT Updates Attack Demo Notification, Conclusion & Further Resources 7

  9. Section 1 Flip Feng Shui At Work 8

  10. Flip Feng Shui ◮ Flip one bit per page in a co-hosted victim VM ◮ Whenever you know its contents ◮ Organised bitflip ◮ DRAM glitch ◮ Breaks CPU virtualization isolation 9

  11. Section 2 Flip Feng Shui Mechanics 10

  12. Flip Feng Shui Mechanics ◮ Co-hosted VMs ◮ Memory deduplication ◮ Rowhammer ◮ RSA 11

  13. Memory deduplication 12

  14. Memory deduplication 13

  15. Memory deduplication 14

  16. Memory deduplication 15

  17. Memory deduplication 16

  18. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 17

  19. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 18

  20. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 19

  21. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 20

  22. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 21

  23. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 22

  24. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 23

  25. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 24

  26. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 25

  27. Memory deduplication + Rowhammer = FFS 26

  28. Memory deduplication + Rowhammer = FFS 27

  29. Memory deduplication + Rowhammer = FFS 28

  30. Memory deduplication + Rowhammer = FFS ◮ FFS breaks COW 29

  31. RSA ◮ Public key cryptosystem ◮ Two keys: public and private ◮ Compute secret private from factorization 30

  32. FFS - What now? Break weakened RSA. 1 0.9 Factorization Success Probability 0.8 0.7 0.6 1024-bit Moduli 0.5 2048-bit Moduli 4096-bit Moduli 0.4 0.3 0.2 0.1 0 0 10 20 30 40 50 Available Templates 31

  33. Section 3 OpenSSH Attack 32

  34. authorized keys file Looks like this: ssh -rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX y7MdVToVAvKB0 /Xven/kqBzfRZm+GITl6sB0u+Aa 3/ UTC3x+eKjB2jf +48 kTP7AvsdbSwg9Q5upN77xX 3 mNGwwj1RUQpOPPc99XH09M84iCydE +9 smYseySf bJQnrov5Ricz2Z18Neuy5ZUH / Ldrf1NSwWoo5NZL 6 tj0E9JvZurMPPk2EqEyHltEFC6OetJwEfaPq9kO glmzFtBWLHR4dF1796JeVkFiWcmMaykAoN +JRF2n MlayPlUxdWR0JwxZ2cJ9la / QLXvv8x0tsORGP9ZG 5 BWqOcD781evuSS3i91BNg6Osl7mlxo6Mc3oUbew /7 ddV08WjdRBn7iQF9WN beng@mymachine ◮ RSA public key ◮ Attacker writes this to memory ◮ We need the private key 33

  35. OpenSSH FFS attack 34

  36. OpenSSH FFS attack 35

  37. OpenSSH FFS attack 36

  38. OpenSSH FFS attack 37

  39. OpenSSH Attack 1 successful attacks 0.8 0.6 CDF 0.4 0.2 0 0 2 4 6 8 10 12 Attack time (mins) ◮ Could retry 38

  40. Section 4 GPG/APT Updates Attack Demo 39

  41. GPG/APT Updates ◮ With FFS we flip /etc/apt/sources.list ◮ With FFS we flip /etc/apt/trusted.gpg ◮ Use computed private key ◮ Long term RSA Ubuntu signing keys 40

  42. Section 5 Notification, Conclusion & Further Resources 41

  43. Notification ◮ Notified: Red Hat, Oracle, Xen, VMware, Debian, Ubuntu, OpenSSH, GnuPG, some hosting companies ◮ Thank you NCSC ◮ GnuPG commit 42

  44. Conclusion ◮ Flip Feng Shui breaks isolation ◮ Co-hosting VMs is risky ◮ Disable memory dedup https://www.vusec.net/projects/flip-feng-shui 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment. The aim is to create environments where the people living and working there can best succeed. Feng shui is based on the idea that people react

535 views • 25 slides
Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

592 views • 55 slides
Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

870 views • 55 slides
Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao Lin, Yi-Mei Wen, Rong-Bin Huang, Su-Yuan Xie,* and Lan-Sun Zheng State Key Laboratory for Physical Chemistry of Solid Surfaces and Department of

700 views • 18 slides
SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE

SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE

SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE Chord Length Needle Point Swage Needle Radius Diameter Flatted Area Needle Length USE OF NEEDLE HOLDERS NEEDLE SHAPES 1 / 4 Circle 3 / 8

128 views • 11 slides
Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde,

Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde,

. Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde, Kvin Redon T echnische Universitt Berlin, Security in T elecommunications femtocell@sec.t-labs.tu-berlin.de Black Hat 2011, Las Vegas,

954 views • 76 slides
Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group www.shuionland.com 1 1. Corporate Strategy 2. Financial Highlights and Business Review 3. Three-Year Plan 4. Key Launches in 2H 2010 2 Corporate

563 views • 22 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack

ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack

ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack Frame Dr. Si Chen (schen@wcupa.edu) Review Page 2 General-purpose Registers The eight 32-bit general-purpose data registers are used to hold

772 views • 22 slides
Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University July 18, 2014 1 / 21 Outline Automation for Interactive Proof Translations Evaluation Machine Learning Reconstruction Towards Qed Strength

628 views • 29 slides
The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii

The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii

The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii Native to North America Specific to Douglas-fir ( Pseudotsuga menziesii) Common everywhere DF grows, yet disease develops only in certain

558 views • 29 slides
The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem

The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem

The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem (geometric version) E R 2 has the Kakeya property if it can be moved continuously between two different positions covering arbitrary small area. E R

535 views • 49 slides
Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste

Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste

Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste consists of waste arising from healthcare activities that could pose a risk to public health or the environment unless properly disposed of.

76 views • 6 slides
Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas Bogk 23c3 27. December 2006 Overview Common software vulnerabilities Dylan Architecture of IP-Stack CVE sorted by bug class Software

447 views • 44 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles

needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles

Virtual reality for paediatric needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles Common 1 Most feared 1,2 Control of pain and anxiety crucial for successful procedures 3 Suboptimally

1.15k views • 26 slides
height adjustable tables LED lighting white boards room and work surface dividers benching

height adjustable tables LED lighting white boards room and work surface dividers benching

height adjustable tables LED lighting white boards room and work surface dividers benching systems monitor arms conferencing CPU holders keyboarding systems power solutions fixed and flip-top tables cafe & occasional tables Clarity

566 views • 14 slides
EARNOUT PROVISIONS Bridging the Valuation Gap April 28, 2014 Erik A. Lopez AGENDA Earnout

EARNOUT PROVISIONS Bridging the Valuation Gap April 28, 2014 Erik A. Lopez AGENDA Earnout

EARNOUT PROVISIONS Bridging the Valuation Gap April 28, 2014 Erik A. Lopez AGENDA Earnout Provisions I. Introduction II. Determining Whether to Use an Earnout III. How to Measure Performance IV. Payment of the Earnout V. Control Over

692 views • 28 slides
City Presentation COMPETITION One handout and small mock-ups All items in this Students

City Presentation COMPETITION One handout and small mock-ups All items in this Students

70 POINTS DELIVERABLE #5: DUE: DAY OF REGIONAL City Presentation COMPETITION One handout and small mock-ups All items in this Students give a 7-minute presentation discussing features category must collectively fit within a 6 x 6

229 views • 6 slides
Wind Project Financing Structures: A Review & Comparative Analysis ~ Report Summary

Wind Project Financing Structures: A Review & Comparative Analysis ~ Report Summary

Wind Project Financing Structures: A Review & Comparative Analysis ~ Report Summary Presentation ~ John Harper (Birch Tree Capital, LLC) Matt Karcher (Deacon Harbor Financial, L.P.) Mark Bolinger (Lawrence Berkeley National Laboratory)

202 views • 18 slides
Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run a Flip Math class Guiding principle: Your flip must be ridiculously organized (or it will not work) Follow the sections youll be using in

795 views • 45 slides
MODELING SINGLE FAMILY INVESTOR BEHAVIOR: LAS VEGAS AND DETROIT ALAN M ALLACH , V I SI T I N G

MODELING SINGLE FAMILY INVESTOR BEHAVIOR: LAS VEGAS AND DETROIT ALAN M ALLACH , V I SI T I N G

MODELING SINGLE FAMILY INVESTOR BEHAVIOR: LAS VEGAS AND DETROIT ALAN M ALLACH , V I SI T I N G SCH OLAR DEPART M EN T OF COM M U N I T Y DEV ELOPM EN T ST U DI ES AN D EDU CAT I ON FEDERAL RESERV E BAN K OF PH I LADELPH I A INVESTOR

285 views • 12 slides
GoBabyGo Ali Mohammad Hakem Almutairi Abdulla Almutairi Ali Albaloushi Project Mentor:

GoBabyGo Ali Mohammad Hakem Almutairi Abdulla Almutairi Ali Albaloushi Project Mentor:

GoBabyGo Ali Mohammad Hakem Almutairi Abdulla Almutairi Ali Albaloushi Project Mentor: Ashwija Korenda 1 Overview: Introduction. Why this project was pursued and completed? Our clients and why it matters to them What

635 views • 24 slides
The Real Estate Housing Bubble Kevin Coughlin Jacob Finglass Dan Parsons Brunnermeier (2009)

The Real Estate Housing Bubble Kevin Coughlin Jacob Finglass Dan Parsons Brunnermeier (2009)

The Real Estate Housing Bubble Kevin Coughlin Jacob Finglass Dan Parsons Brunnermeier (2009) Deciphering the Liquidity and Credit Crunch 20072008 Part 1: The Originate and Distribute Model Part 2: Series of Events

1.02k views • 64 slides

More recommend