flip feng shui hammering a needle in the software stack
play

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras - PowerPoint PPT Presentation

Apr 07, 2024 •264 likes •721 views

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart Preneel 1 Cristiano Giuffrida Herbert Bos August 10, 2016 1 Teaser OpenSSH compromise apt-get compromise by GPG signature forgery No

  1. Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart Preneel 1 Cristiano Giuffrida Herbert Bos August 10, 2016 1

  2. Teaser ◮ OpenSSH compromise ◮ apt-get compromise by GPG signature forgery ◮ No software bug ◮ Weak assumptions ◮ Demo! 1

  3. Contribution Flip Feng Shui is a novel exploitation structure ◮ Hardware glitch ◮ Memory massaging primitive Makes the glitch ◮ Easy to target precisely ◮ Reliable We demonstrate FFS = Rowhammer + Memory Deduplication 2

  4. Outline Flip Feng Shui At Work 3

  5. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics 4

  6. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack 5

  7. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack GPG/APT Updates Attack Demo 6

  8. Outline Flip Feng Shui At Work Flip Feng Shui Mechanics OpenSSH Attack GPG/APT Updates Attack Demo Notification, Conclusion & Further Resources 7

  9. Section 1 Flip Feng Shui At Work 8

  10. Flip Feng Shui ◮ Flip one bit per page in a co-hosted victim VM ◮ Whenever you know its contents ◮ Organised bitflip ◮ DRAM glitch ◮ Breaks CPU virtualization isolation 9

  11. Section 2 Flip Feng Shui Mechanics 10

  12. Flip Feng Shui Mechanics ◮ Co-hosted VMs ◮ Memory deduplication ◮ Rowhammer ◮ RSA 11

  13. Memory deduplication 12

  14. Memory deduplication 13

  15. Memory deduplication 14

  16. Memory deduplication 15

  17. Memory deduplication 16

  18. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 17

  19. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 18

  20. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 19

  21. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 20

  22. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 21

  23. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 22

  24. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 23

  25. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 24

  26. Rowhammer ◮ Causes charge to leak in DRAM ◮ DRAM row activations cause flips 25

  27. Memory deduplication + Rowhammer = FFS 26

  28. Memory deduplication + Rowhammer = FFS 27

  29. Memory deduplication + Rowhammer = FFS 28

  30. Memory deduplication + Rowhammer = FFS ◮ FFS breaks COW 29

  31. RSA ◮ Public key cryptosystem ◮ Two keys: public and private ◮ Compute secret private from factorization 30

  32. FFS - What now? Break weakened RSA. 1 0.9 Factorization Success Probability 0.8 0.7 0.6 1024-bit Moduli 0.5 2048-bit Moduli 4096-bit Moduli 0.4 0.3 0.2 0.1 0 0 10 20 30 40 50 Available Templates 31

  33. Section 3 OpenSSH Attack 32

  34. authorized keys file Looks like this: ssh -rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX y7MdVToVAvKB0 /Xven/kqBzfRZm+GITl6sB0u+Aa 3/ UTC3x+eKjB2jf +48 kTP7AvsdbSwg9Q5upN77xX 3 mNGwwj1RUQpOPPc99XH09M84iCydE +9 smYseySf bJQnrov5Ricz2Z18Neuy5ZUH / Ldrf1NSwWoo5NZL 6 tj0E9JvZurMPPk2EqEyHltEFC6OetJwEfaPq9kO glmzFtBWLHR4dF1796JeVkFiWcmMaykAoN +JRF2n MlayPlUxdWR0JwxZ2cJ9la / QLXvv8x0tsORGP9ZG 5 BWqOcD781evuSS3i91BNg6Osl7mlxo6Mc3oUbew /7 ddV08WjdRBn7iQF9WN beng@mymachine ◮ RSA public key ◮ Attacker writes this to memory ◮ We need the private key 33

  35. OpenSSH FFS attack 34

  36. OpenSSH FFS attack 35

  37. OpenSSH FFS attack 36

  38. OpenSSH FFS attack 37

  39. OpenSSH Attack 1 successful attacks 0.8 0.6 CDF 0.4 0.2 0 0 2 4 6 8 10 12 Attack time (mins) ◮ Could retry 38

  40. Section 4 GPG/APT Updates Attack Demo 39

  41. GPG/APT Updates ◮ With FFS we flip /etc/apt/sources.list ◮ With FFS we flip /etc/apt/trusted.gpg ◮ Use computed private key ◮ Long term RSA Ubuntu signing keys 40

  42. Section 5 Notification, Conclusion & Further Resources 41

  43. Notification ◮ Notified: Red Hat, Oracle, Xen, VMware, Debian, Ubuntu, OpenSSH, GnuPG, some hosting companies ◮ Thank you NCSC ◮ GnuPG commit 42

  44. Conclusion ◮ Flip Feng Shui breaks isolation ◮ Co-hosting VMs is risky ◮ Disable memory dedup https://www.vusec.net/projects/flip-feng-shui 43

Recommend

!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment.

!"#$%&'()% Feng shui is the study of how humans interact with their environment. The aim is to create environments where the people living and working there can best succeed. Feng shui is based on the idea that people react

535 views • 25 slides
Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

592 views • 55 slides
Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

870 views • 55 slides
Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao Lin, Yi-Mei Wen, Rong-Bin Huang, Su-Yuan Xie,* and Lan-Sun Zheng State Key Laboratory for Physical Chemistry of Solid Surfaces and Department of

700 views • 18 slides
SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE

SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE

SURGICAL NEEDLES Prepared by: Mana Basirat 0 ANATOMY OF A SURGICAL NEEDLE EYELESS NEEDLE Chord Length Needle Point Swage Needle Radius Diameter Flatted Area Needle Length USE OF NEEDLE HOLDERS NEEDLE SHAPES 1 / 4 Circle 3 / 8

128 views • 11 slides
Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde,

Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde,

. Femtocells: a Poisonous Needle in the Operator's Hay Stack . Ravishankar Borgaonkar, Nico Golde, Kvin Redon T echnische Universitt Berlin, Security in T elecommunications femtocell@sec.t-labs.tu-berlin.de Black Hat 2011, Las Vegas,

954 views • 76 slides
Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group www.shuionland.com 1 1. Corporate Strategy 2. Financial Highlights and Business Review 3. Three-Year Plan 4. Key Launches in 2H 2010 2 Corporate

563 views • 22 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack

ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack

ss 3 Cl Class CSC 495/583 Topics of Software Security X86 Assembly & Stack & Stack Frame Dr. Si Chen (schen@wcupa.edu) Review Page 2 General-purpose Registers The eight 32-bit general-purpose data registers are used to hold

772 views • 22 slides
Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University July 18, 2014 1 / 21 Outline Automation for Interactive Proof Translations Evaluation Machine Learning Reconstruction Towards Qed Strength

628 views • 29 slides
The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii

The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii

The Swiss Needle Cast Story Swiss Needle Cast Caused by Nothophaeocryptopus gaeumannii Native to North America Specific to Douglas-fir ( Pseudotsuga menziesii) Common everywhere DF grows, yet disease develops only in certain

558 views • 29 slides
The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem

The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem

The Kakeya needle problem for rectifiable sets with Alan Chang The Kakeya needle problem (geometric version) E R 2 has the Kakeya property if it can be moved continuously between two different positions covering arbitrary small area. E R

535 views • 49 slides
Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste

Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste

Needle and Syringe Provision Waste Service Definition Needle and Syringe Provision waste consists of waste arising from healthcare activities that could pose a risk to public health or the environment unless properly disposed of.

76 views • 6 slides
Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas

Design and Implementation of an object- oriented, secure TCP/IP Stack Hannes Mehnert, Andreas Bogk 23c3 27. December 2006 Overview Common software vulnerabilities Dylan Architecture of IP-Stack CVE sorted by bug class Software

447 views • 44 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles

needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles

Virtual reality for paediatric needle procedural pain Dr Evelyn Chan Needle pain is common and undermanaged Needles Common 1 Most feared 1,2 Control of pain and anxiety crucial for successful procedures 3 Suboptimally

1.15k views • 26 slides
NEEDLE for Java EE Need(le)(for(Speed((Effec<ve(Unit(Tes<ng(for(Java(EE( (

NEEDLE for Java EE Need(le)(for(Speed((Effec<ve(Unit(Tes<ng(for(Java(EE( (

NEEDLE for Java EE Need(le)(for(Speed((Effec<ve(Unit(Tes<ng(for(Java(EE( ( Heinz(Wilming,(akquinet(AG( Version(2.0( h-p://needle.spree.de/( Mo<va<on( Why$do$we$Test?$ ! Confidence ! Cost(Reduc<on( ! Be-er(Design( !

240 views • 22 slides
Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The

Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The

Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The hardware will compose the final image from two layers. Atomic page flip Animating the scene Atomic page flip There are problems with

620 views • 18 slides
Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run a Flip Math class Guiding principle: Your flip must be ridiculously organized (or it will not work) Follow the sections youll be using in

795 views • 45 slides
Threading the Needle: Threading the Needle: NHs Journey to Establish NHs Journey to

Threading the Needle: Threading the Needle: NHs Journey to Establish NHs Journey to

Threading the Needle: Threading the Needle: NHs Journey to Establish NHs Journey to Establish Syringe Service Program Law Syringe Service Program Law Lindsay J. Pierce, M.Ed. Chief, Infectious Disease Prevention, Investigation and Care

328 views • 11 slides
TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda

TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda

TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security basics Terms TPM basics What it is / what it does Why this matters / specific features TPM Software Stack

480 views • 26 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
A. Job Title: Junior Full Stack Developer The Junior Full Stack Developer will be advised by the

A. Job Title: Junior Full Stack Developer The Junior Full Stack Developer will be advised by the

Job Description - Jr. Full Stack Developer 7/23/2020 A. Job Title: Junior Full Stack Developer The Junior Full Stack Developer will be advised by the Full Stack Developer - a professional who works on both client-side and server-side software

525 views • 4 slides
Microservices reativos usando a stack do Netfmix na AWS Diego Pacheco Principal Software

Microservices reativos usando a stack do Netfmix na AWS Diego Pacheco Principal Software

Microservices reativos usando a stack do Netfmix na AWS Diego Pacheco Principal Software Architect at ilegra.com @diego_pacheco www.ilegra.com NetfmixOSS Stack Why Netfmix? Netfmix My Problem Billions Requests Per Day Social

607 views • 58 slides

More recommend