MESSAGE
| DATE | 2015-03-11 |
| FROM | Elfen Magix
|
| SUBJECT | Re: [NYLXS - HANGOUT] DRAM exploit
|
From owner-hangout-outgoing-at-mrbrklyn.com Wed Mar 11 20:29:17 2015
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 2B5331612E0; Wed, 11 Mar 2015 20:29:17 -0400 (EDT)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 1BB811612ED; Wed, 11 Mar 2015 20:29:17 -0400 (EDT)
Delivered-To: hangout-at-nylxs.com
Received: from nm48-vm9.bullet.mail.gq1.yahoo.com (nm48-vm9.bullet.mail.gq1.yahoo.com [67.195.87.229])
by mrbrklyn.com (Postfix) with ESMTP id 2E4FF1612E0
for ; Wed, 11 Mar 2015 20:28:52 -0400 (EDT)
Received: from [127.0.0.1] by nm48.bullet.mail.gq1.yahoo.com with NNFMP; 12 Mar 2015 00:28:52 -0000
Received: from [216.39.60.181] by nm48.bullet.mail.gq1.yahoo.com with NNFMP; 12 Mar 2015 00:26:05 -0000
Received: from [98.137.12.209] by tm17.bullet.mail.gq1.yahoo.com with NNFMP; 12 Mar 2015 00:26:05 -0000
Received: from [127.0.0.1] by omp1017.mail.gq1.yahoo.com with NNFMP; 12 Mar 2015 00:26:05 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 461282.22874.bm-at-omp1017.mail.gq1.yahoo.com
Received: (qmail 94561 invoked by uid 60001); 12 Mar 2015 00:26:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1426119965; bh=qv0bqM3RU/1ewOw/rBUb/jtL0YSlyPx1hXLRudn/+B4=; h=Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jDeAIwQe8B/haasBkg5ry32ZyYHQycw9mirDGi+HImgeLOOhoS+jdvCA2zqEj9lDrzNwd/oyZ8rA34mQkkoyyxCnH2nguKIorwVp7bTGkkc8t5kkurS1HTnvJQOPblqzBtIslGTsr+TPDw4OGtDGLrjbetklmncaxwYiVoCS8xg=
X-YMail-OSG: ZDX1mKgVM1kHRiX3G76Ggl.bqn_iuWipMqt23xDA8kDwHgl
mbkOONoBJwlYdfiSsPUk5u0pqZcp3KC2tnNCztc15nXCHGaEcQtdWuOEPddm
iP1NEf0ahRL1ZMk9.x.t1yayC1OORezdyNUFeOJieeqgW1UJoYBAls9RDHmc
BPVQFFPtZZZFWFPJTTWRaC3hSTTVOQJRoV4VUjrEEkmOe0pIEaSWsKOoysW8
lQp8u21ynh.EAU7ic1GBFL4zf.8v7ozm1Z_s8QD5wjEObCJ9GZi5g9myBZb0
TLTBaIZnmtlup2s56u_YVNZ.kVl83tzcQL52lcf53OrD5KrQ489VcYCO4FAP
wL6fm5LnRtLondtMstXKgijkmPa4P7O9jyRu5dv7Yx3.Sv183w5loJ9GaBSY
NpZy2AuGCnZ0Z4tG4RQcTdn9.otKRX9_1iAtc27.EUGlYM2P1BfRaLVIr73.
03oDU1SquMlvvFeJPkdyYzLebAhGgwDtnoIh7pTLsUy1KU_5u5tZWhC.ZpRk
VGcican0r_f5WCg2u0BdwvL0QiuhWNrjKf4IhddJWJh5uaKTFFd07mjDOJ1L
22qNQ4.khV97R5diIrC9qX.gFnkuOvS_RPnY9rTYIeAZ3UKCdo35E6OrPYDA
tu807ypeU3TrkYT4MvmWoTslklxQj8CYaY0vZ0OILv5leFIe0On3gpBEYBld
2F9f7sCfXuN5tpLtNcKFfC_nUeK0IxIuuSqcgfSx8FHrbaMRR8oPCtJtpurh
nOMKCkIRekNDh17CqqNd97Q--
Received: from [50.12.107.231] by web121205.mail.ne1.yahoo.com via HTTP; Wed, 11 Mar 2015 17:26:05 PDT
X-Rocket-MIMEInfo: 002.001,UGVla2luZyBhbmQgcG9raW5nIGludG8gbWVtb3J5IHRvIGNoYW5nZSBzeXN0ZW0gdmFsdWVzIGFuZCBvcGVuIHVwIGZpbGVzIGFuZCBwcm9ncmFtcy4gSSBoYXZlIG5vdCBkb25lIHRoYXQgc2luY2UgdGhlIDgwcyBvbiBteSBDb21tb2RvcmUsIEF0YXJpIGFuZCBBcHBsZSBzeXN0ZW1zIQ0KDQp.RmVybmFuZG8NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCk9uIFdlZCwgMy8xMS8xNSwgUnViZW4gU2FmaXIgPG1yYnJrbHluQHBhbml4LmNvbT4gd3JvdGU6DQoNCiBTdWIBMAEBAQE-
X-Mailer: YahooMailClassic/406 YahooMailWebService/0.8.203.740
Message-ID: <1426119965.72514.YahooMailBasic-at-web121205.mail.ne1.yahoo.com>
Date: Wed, 11 Mar 2015 17:26:05 -0700
From: Elfen Magix
Subject: Re: [NYLXS - HANGOUT] DRAM exploit
To: hangout-at-nylxs.com
In-Reply-To: <20150311204214.GA24082-at-panix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-nylxs.com
[NYLXS: HANGOUT]
X-BeenThere: hangout-at-nylxs.com
X-Mailing-list: hangout-at-nylxs.com
Precedence: list
List-Id: NYLXS General Discussion Forum
List-Unsubscribe:
List-Archive:
List-Post:
List-Help:
List-Subscribe:
Peeking and poking into memory to change system values and open up files an=
d programs. I have not done that since the 80s on my Commodore, Atari and A=
pple systems!
~Fernando
--------------------------------------------
On Wed, 3/11/15, Ruben Safir wrote:
Subject: [NYLXS - HANGOUT] DRAM exploit
To: hangout-at-nylxs.com
Date: Wednesday, March 11, 2015, 4:42 PM
=20
=20
=20
check this out
=20
http://arstechnica.com/security/2015/03/cutting-edge-hack-gives-super-user=
-status-by-exploiting-dram-weakness/
=20
=20
Cutting-edge hack gives super user status by exploiting DRAM
weakness
"Rowhammer" attack goes where few exploits have gone before,
into
silicon itself.
=20
by Dan Goodin - Mar 10, 2015 3:01 am UTC
134
Enlarge / DDR3 DIMMs like this one are susceptible to a hack
known as
"rowhammering," which alters the contents stored in computer
memory.
Tobias b k=C3=B6hler
=20
In one of more impressive hacks in recent memory,
researchers have
devised an attack that exploits physical weaknesses in
certain types of
DDR memory chips to elevate the system rights of untrusted
users of
Intel-compatible PCs running Linux.
=20
The technique, outlined in a blog post published Monday by
Google's
Project Zero security initiative, works by reversing
individual bits of
data stored in DDR3 chip modules known as DIMMs. Last year,
scientists
proved that such "bit flipping" could be accomplished by
repeatedly
accessing small regions of memory, a feat that=E2=80=94like a
magician who
transforms a horse into a rabbit=E2=80=94allowed them to change
the value of
contents stored in computer memory. The research unveiled
Monday showed
how to fold such bit flipping into an actual attack.
=20
"The thing that is really impressive to me in what we see
here is in
some sense an analog- and manufacturing-related bug that is
potentially
exploitable in software," David Kanter, senior editor of
the
Microprocessor Report, told Ars. "This is reaching down into
the
underlying physics of the hardware, which from my standpoint
is cool to
see. In essence, the exploit is jumping several layers of
the stack."
Getting hammered
=20
DDR memory is laid out in an array of rows and columns,
which are
assigned in large blocks to various applications and
operating system
resources. To protect the integrity and security of the
entire system,
each large chunk of memory is contained in a "sandbox" that
can be
accessed only by a given app or OS process. Bit flipping
works when a
hacker-developed app or process accesses two carefully
selected rows of
memory hundreds of thousands of times in a tiny fraction of
a second. By
hammering the two "aggressor" memory regions, the exploit
can reverse
one or more bits in a third "victim" location. In other
words, selected
zeros in the victim region will turn into ones or vice
versa.
=20
The ability to alter the contents of forbidden memory
regions has
far-reaching consequences. It can allow a user or
application who has
extremely limited system privileges to gain unfettered
administrative
control. From there, a hacker may be able to execute
malicious code or
hijack the operations of other users or software programs.
Such
elevation-of-privilege hacks are especially potent on
servers available
in data centers that are available to multiple customers.
=20
The vulnerability works only on newer types of DDR3 memory
and is the
result of the ever smaller dimensions of the silicon. With
less space
between each DRAM cell, it becomes increasingly hard to
prevent one cell
from interacting electrically with its neighbors. By
repeatedly
accessing one or more carefully selected memory locations,
attackers can
exploit this volatility, causing the charge to leak into or
out of
adjacent cells. With enough accesses, the technique can
change the value
of a cell. The attack doesn't work against newer DDR4
silicon or DIMMs
that contain ECC, short for error correcting code,
capabilities.
=20
Mark Seaborn, described as a "sandbox builder and breaker,"
along with
reverse engineer Thomas Dullien, developed two "rowhammer"
exploits
that, when run as unprivileged processes, were able to gain
kernel
privileges on an x86-64 Linux system. The first exploit ran
as a Native
Client module on top of Google Chrome. Once Google
developers became
aware of the exploit, they disallowed the CLFLUSH
instruction that's
required to make the exploit work. The second exploit, which
ran as a
normal Linux process and gained access to all physical
memory, will be
harder to mitigate on existing machines.
=20
There are other things that made the exploits impressive.
Irene
Abezgauz, a product VP at Dyadic Security and an experienced
penetration
testing professional, told Ars:
=20
=C2=A0 =C2=A0 The Project Zero guys took on the challenge of
leveraging the
concept of rowhammer into an actual exploit. What's
impressive is the
combination of lots of deep technical knowledge with quite a
bit of
hacker creativity. What they did was create attack
techniques in which
flipping just a single bit in a specific location allows
them to execute
any code they want with root privileges or escape a sandbox.
This is
impressive by itself, but they added to this quite a few
creative
solutions to make it more likely to succeed in a real world
scenario and
not just in the lab. They figured out ways for better
targeting of the
specific locations in memory they needed to flip, improved
the chances
of the attack to succeed by creating ("spraying") multiple
locations
where a flipped bit would make the right impact, and came up
with
several ideas to leverage this into actual privileged code
execution.
This combination makes for one of the coolest exploits I've
seen in a
while.
=20
The attackers didn't identify the specific models of DDR3
that are
susceptible to the attack. While their proof-of-concept
exploits
targeted a Linux computer running x86-64 hardware, the same
technique
would likely work against a variety of platforms.
=20
The results are impressive, but for a variety of reasons
right now, the
attacks appear to be more theoretical than practical. For
one, the
attack appears to allow only local, rather than remote,
exploitation, a
limitation that significantly curtails its appeal to
real-world hackers.
And for another, bit flipping works only against certain
pre-determined
rows. What's more, rowhammering requires more than 540,000
memory
accesses in just 64 milliseconds. Unless refinements are
made, the
demands could make it impractical for attackers to use the
technique to
reliably hijack a system.
=20
Bit flipping shouldn't be mistaken as a class of memory
corruption
exploit, such as a buffer overflow or a use-after-free, both
of which
allow attackers to funnel malicious shell code into
protected regions of
a computer. Rowhammering, by contrast, allows for escalation
of
privileges, which while serious, is a much more nuanced type
of
incursion. Rob Graham, CEO of Errata Security, published
this blog post
that details additional challenges and technical details.
=20
Still, the ability to exploit physical weaknesses in the
hardware is a
highly novel type of attack that breaks new ground and may
not be easy
to remedy.
=20
"This is not like software, where in theory we can go patch
the software
and get a patch distributed via Windows update within the
next two to
three weeks," Kanter, of the Microprocessor Report, said.
"If you want
to actually fix this problem, we need to go out and replace,
on a DIMM
by DIMM basis, billions of dollars' worth of DRAM. From a
practical
standpoint that's not ever going to happen."
=20
|
|
