New cloud attack takes full control of virtual machines with little effort

Existing crypto software “wholly unequipped” to counter Rowhammer attacks. The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.

“Surprisingly practical and effective”

“Prior work has demonstrated that co-hosted VMs can spy on each other to a certain extent (e.g. cryptographic keys can be leaked), but this attack is fundamentally more damaging and the first of its kind,” Ben Gras, one of the Vrije Universiteit Amsterdam researchers who devised the technique, told Ars. “We can reliably corrupt the memory of a target VM in a highly precise and controlled way. Scientifically, this is our contribution—we show for the first time it is possible to effect this seemingly random corruption on data anywhere in the software stack in a highly precise and controlled way.”

The research team, which also included a member from Belgium’s Katholieke Universiteit Leuven, went on to show how an attacker VM can use Flip Feng Shui to compromise RSA cryptography keys stored on another VM hosted in the same cloud environment. In one experiment, the attacker VM compromised the key used to authenticate secure shell access, a feat that allowed the VM to gain unauthorized access to the target. In a separate experiment, the attacker VM compromised the GPG key used by developers of the Ubuntu operating system to verify the authenticity of updates. With the compromised GPG key, the attacker VM was able to force the target to download and install a malicious update.

The key compromises work by obtaining the target’s public key in advance, a requirement that’s generally not a problem because public keys don’t reveal the secrets contained in their corresponding private key. The attacker VM then uses what the researchers call Deduplication Flip Feng Shui to induce a bit flip in a specific part of the public key. The flip, in turn, creates a new public key that’s weak enough to be factored so that attackers can derive the corresponding private key. In other words, the Rowhammer attack tricks the target VM into accepting a new public key. And because the attackers know the corresponding private key, they gain unauthorized SSH access and can sign malicious Ubuntu updates.

“We find that, while [Deduplication Flip Feng Shui] is surprisingly practical and effective, existing cryptographic software is wholly unequipped to counter it, given that ‘bit flipping is not part of their threat model,'” the researchers wrote in a recently published research paper titled “Flip Feng Shui: Hammering a Needle in the Software Stack.”

“Our end-to-end attacks completely compromise widespread cryptographic primitives, allowing an attacker to gain full control over the victim VM,” the researchers wrote.

The experiment attempted the bit flipping hack only against RSA keys, but Gras, the Vrije Universiteit Amsterdam researcher, said he expects it to work against keys or parameters based in the Digital Signature Algorithm, Diffie-Hellman, Elliptic Curve Cryptography, and Elliptic Curve Diffie-Hellman crypto systems as well. Such exploits would allow attackers not only to gain unauthorized access but also to eavesdrop on legitimate sessions. Flip Feng Shui was first presented three weeks ago at the 25th Usenix Security Symposium and will be featured again in November at the Black Hat security conference in London.

For the attacks to work, the cloud hosting the VMs must have deduplication enabled so that physical pages are shared between customers. The researchers relied on deduplication features available in the kernel-based Virtual Machine andKernel SamePage Merging functions that are included in Linux, but the researchers believe the technique will work on other operating systems that also provide deduplication. And of course, the memory chips used by the host must be vulnerable to Rowhammer attacks, a requirement that’s met by 110 out of 129 DDR3 models and eight out of 12 DDR4 varieties tested. Lastly, the prototype attack relied on a Linux setting known as transparent huge pages to make the attack simpler and faster, but the researchers said it would work even if the setting wasn’t enabled.The researchers have laid out a variety of hardware and software approaches that can help defend against Flip Feng Shui attacks. The hardware solutions included subjecting DRAM chips to extensive Rowhammer testing, relying on memory with error-correcting codes, and exploring a newer protection known as directed row refresh that’s implemented in certain types of DDR4 chips. Software mitigations include disabling memory deduplication. Beyond that, developers and engineers should consider taking additional precautions, such as checking security-sensitive information for integrity immediately before it’s used to make sure it hasn’t been subjected to bit flips. The research paper lays out the defenses in much greater detail.

“Our attacks allow an attacker to completely compromise co-hosted cloud VMs with relatively little effort,” the researchers warn at the conclusion of their paper. “Even more worryingly, we believe Flip Feng Shui can be used in several more forms and applications pervasively in the software stack, urging the systems security community to devote immediate attention to this emerging threat.”

Source:https://arstechnica.com/

Alisa Esage G

Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.

New cloud attack takes full control of virtual machines with little effort

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Hacking with MagicDots: Exploiting Dots & Spaces in Filenames/Pathnames for Permanent Admin Rights

Compromising Cryptographic Key Security Through PuTTY: A Deep Dive into CVE-2024-31497

How to hack a LG Smart TV via vulnerabilities in LG WebOS?

How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps

CVE-2023-5528: Kubernetes Flaw Jeopardizing Windows Node That Can’t Be Ignored

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code?

How to exploit Windows Defender Antivirus to infect a device with malware

Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies!

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]