Flip Feng Shui: Perturbation attacks made it to VMs

I’ve been reading up on the Flip Feng Shui: Hammering a Needle in the Software Stack paper, and I’m enjoying that the common smart card attack considerations are coming to more mainstream software considerations.

From the paper:

We describe Flip Feng Shui (FFS), a new exploitation vector that allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on two underlying primitives: (i) the ability to induce bit flips in controlled (but not predetermined) physical memory pages; (ii) the ability to control the physical memory layout to reverse-map a target physical page into a virtual memory address un- der attacker control.

This first item we call “perturbation attacks” in smartcard domain. We do those attacks all the time, by giving our poor smartcards power spikes it really shouldn’t be exposed to, prodding it with probing needles too small for the human eye, shooting it with freaking lasers, … you know: standard Monday morning stuff in the office*.

Because we’ve been doing this for ±20 years now in this domain, it takes a while for me to understand a statement like the following is not a joke:

existing cryptographic software is wholly unequipped to counter it, given that “bit flipping is not part of their threat model”.

Because in my world, bit flips are a given, considering that there is an attacker playing with the smartcard. Monday morning remember?

So how does this attack work?

The attack (mis)uses memory de-duplication, i.e. a feature in the host hypervisor that sees that the page of memory of one VM is identical to another one VM’s. When this is enabled, the host hypervisor then maps both these pages to the same page (to reduce actual used physical memory by 40-70%!). If the attacker was the one who created that page originally, he now owns the actual physical page. As long as the host software thinks this page’s content has not changed, the victim VM will read the attacker’s physical page.

So the attacker then does a Rowhammer attack to cause a bit to flip in the part of “his” page. As Rowhammer is a physical side-effect that ‘should not happen’, the host hypervisor does not see the page as changed, even though it is. So now the attacker has just caused a bit flip in his own and, more importantly, this victim’s memory.

Flipping a bit in say a RSA public key allows the attacker to factor that modified key, and generate the appropriate secret key to match. If the attacker does this with the RSA key say used to authenticate root access for SSH, or the signature key for package updates of Linux, he now has full control over that machine.

Neat! (In smartcard world we usually attack the secret key, because of how the protocols are used.)

Theory or practice?

Now, to successfully pull off this attack, several things have to be possible for the attacker:

  • predicting the memory content (this excludes attacks on confidential information such as secret keys),
  • memory de-duplication must be active (so disabling that, or setting it to “only zero pages”, seems prudent),
  • the attacker must be running his VM on the same physical machine as the victim’s VM (I don’t know if this is a realistic scenario. More on it below)
  • the memory must be sensitive to something like Rowhammer (so ECC memory is yet again a good idea, it will reduce the chances of this significantly)

Realistic to be the neighbour of your victim VM?

This attack depends on being able to run the attack VM on the same hardware as the victim VM. I have no well-founded grounds to guess if this is a realistic assumption.

I can think of the following situations where that is possible:

  • The pool of actual hardware is pretty small compared to the amount of VMs, because the hardware is very beefy or the VMs are small.
  • The amount of instances of the victim VMs is pretty big, because it is a standard VM replicated many, many times. I think about situations like massively parallel computing or streaming (Netflix?).
  • Or the targeted page is very common, and here I’m thinking of the signature files for updates for example, or company wide backup root accounts.

My conclusion: stay calm and …

Considering all the complexity of this attack, I don’t see it worm all over the Internet soon. It is however a cool warning that attack can and do cross over from these various fields.

I wonder when they’ll realise they can also apply this attack to modify the running code of say the password check routine

NSA Equation Group’s exploits for sale?

There is a persistent and fairly believable rumor going around that a significant amount of the NSA exploits are for sale. To convince potential buyers that they have the goods, the sellers have apparently dumped a ±250MB package of 3-year old exploits and implants for firewalls.
Looking at the descriptions Mustafa Al-Bassam extracted from the dump, it seems plausible that at least these firewall exploits are from a government outfit like the NSA or GCHQ based on the terminology and the typical codenames like “WOBBLYLLAMA”, and the kind of firewalls targeted.

Regardless whether this is the real deal (and whether more than just these firewall exploits are up for grabs), this, in my view highlights the main problems with seeing offensive hacking as as the best defence:

  • Backdoors and exploits are often single-use: using them as attacker is risky, as your target may be recording network traffic and recover the attack. This was also explicitly mentioned by Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) group, i.e. the NSA hackers whose toys are apparently now for sale. Or mishandling a spearfish and lose your nation state quality three 0-days on iOS to Apple, an expensive mistake as a full weaponised remote rooting of iOS is easily $100.000+ value.
    As an aside, their 2007 hardware toy catalogue leaked some time ago, a fun read for people like me.
  • Amusingly, the NSA actually does this eavesdropping to get other organizations’ offensive hacking tools. There are some convincing theories that this ‘leaked exploits sale’ is actually one of the other organisations (China and Russia have been mentioned) getting back at them.
  • Somewhere in these offensive organizations there is a weapons cache of these exploits, and it just takes is one disgruntled employee with access to it and the desire to leak it. After all, it is these hackers’ full-time job and passion to break in and out of highly secure environments, and they have all the tools for this. (This is the most likely explanation).
  • Once the attacks are out, others can also use it against you! The NSA has the story that “NObody But US” (NOBUS) can exploit these things, and use that as an argument not to inform the American companies whose products are at risk in this way. So now, Cisco (and other) firewall vendors are scrambling to make a bug fix (which takes a few days to weeks), and actually may impact other products too.
    Then the users of these firewalls have to actually deploy the bug fix (which they’ll be reluctant to do for reliability reasons, if the users even know that the bug fix exists, taking another few days to many months), and all the while savvy and assertive attackers can hack these firewalls at their leisure.

I still have this naive hope that these blowups will change policy for these organizations to lean to the defensive more. Realistically though, they’ll double down: both hide their exploit development better and come down even harder on leakers and whistleblowers.

And of course thus continues the arms race, making us all less secure in the long term for a short term gain. Sigh.

Your friendly professionally paranoid,


P.S. this may of course just be a disinformation campaign or a fundraiser. One never knows… (until ±30-50 years later when the documents get declassified)

Voynich manuscript reproduction coming

Oh, in the world of infinite resources, I definitely lust for this, for the sheer having as a token of cryptography run rampant: The Voynich manuscript is going to be reproduced at a staggering $10,000 price tag.
Much more reasonably priced reprints are available via Yale books or Amazon, and the scans are available for free.

The Voynich manuscript has been intriguing cryptoanalysists for ages, with its cryptic almost-sensible texts, pictures of not-quite-real plants and animals. There are interesting attempts claiming to have partially decoded it here and here.

I, for one, think XKCD still has the best explanation of the origins of this intriguing manuscript:


XKCD's take on the Voynich manuscript

iPhone reset

I just had my iPhone 6s refusing to respond (black screen, no reaction on any of the individual buttons). Slight stress peak, as a working phone is pretty important to me 😉

The solution was to hold the home button (the round button on the front bottom) and the power button (right upper side button) at the same time for about 10 seconds (just wait until the phone shows the Apple logo).

The iPhone then reboots, asks for your passphrase and runs as usual. Interestingly, it apparently keeps the SIM card powered, as I did not need to enter the PIN for the SIM card.

Reference: Apple’s article on this.