Infiltrate Security Conference OPEN CFP

TALK PROFILE

Attacking a co-hosted VM: A hacker, a hammer and two memory modules

Vulnerability Development
45

Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges [2]. In [1], Kaveh Razavi et al. pushed the exploita- tion of row-hammer bugs to the next level. They abused an OS feature - mem- ory deduplication - to surgically flip bits in a controlled way. They succeeded in flipping bits in memory loaded sensitive files (e.g. authorized_keys) assum- ing they know their contents. By weakening RSA moduli in authorized_keys file, they were able to generate corresponding private keys and authenticate on a co-hosted victim VM. In this presentation, we aim to showcase a different attack scenario. Instead of corrupting memory loaded files, we chose to corrupt the state of a running binary. However, given a program P, how to find bits that could divert the flow of execution to the attacker’s own advantage? Searching manually for those bits by reverse-engineering the program P is tedious. We developed a PoC with that leverages on timeless-debugging capabilities to catch those bits automatically. More precisely, we flip each bit of some target functions in P, run the desired functions, and check whether the flipped bits impact the expected result of the targeted function. The libpam is an attractive target since it provides authentication mecha- nisms on widely deployed *nix systems. By analyzing some functions of the pam-unix.so module, we found a dozen of bits that if flipped, allow one to au- thenticate with a blank/wrong password. By running an instance of a row-hammer attack on an attacker VM, we were able to successfully authenticate on an adja- cent victim VM by corrupting the state of pam-unix.so module. Row-Hammer attacks are no longer considered as a myth. They are power- ful and effective. In this presentation, we aim to provide the necessary tools to weaponize row-hammer attacks. We provide an exploit that allows one to gain access or elevate his privileges on a restricted co-hosted VM.

Back to Open CFP
(3)

Comments

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to cfp@immunityinc.com. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are: