
Flip Feng Shui: A new cross-VM exploitation vector - Rafert
https://www.vusec.net/projects/flip-feng-shui/
======
yladiz
All I can think of when I see the acronym in the article is For Fuck's Sake...

From my understanding, this essentially allows an attacker to compromise
specific memory of a victim VM by bit flipping, since the host uses shared
memory for both if the contents are the same. This would allow the attacker to
then change the contents of the memory to something malicious and the victim
VM would not know.

Let me know if I'm wrong; I think this is essentially the attack based on my
understanding of the article. I didn't watch the 5 minute OpenSSH video in the
article, though.

~~~
isp
Essentially yes. But note that it is using a row hammer attack to physically
flip the bit in the shared memory. Doing so bypasses the normal copy-on-write
shared memory safeguard.
[https://en.wikipedia.org/wiki/Row_hammer](https://en.wikipedia.org/wiki/Row_hammer)

------
voltagex_
>We have registered all possible domains that are one bit flip away from
ubuntu.com and debian.org. We would like to hand these domains over to the
correct authority. Please get in touch if you think you are one.

Aha!
[https://www.youtube.com/watch?v=lZ8s1JwtNas](https://www.youtube.com/watch?v=lZ8s1JwtNas)
is a talk about "bitsquatting" along the same lines. I'm sure I've seen a
newer talk about it too

Edit:
[https://www.youtube.com/watch?v=ZPbyDSvGasw](https://www.youtube.com/watch?v=ZPbyDSvGasw)
is the other video, which also looks at the behaviour of various clients

~~~
moyix
Yep. Artem's web page has more information as well:

[http://dinaburg.org/bitsquatting.html](http://dinaburg.org/bitsquatting.html)

------
romaniv
Does anyone know how step #1 works in practice? How can you detect which
addresses correspond to same cells in neighboring rows?

~~~
parenthephobia
Using something like [https://github.com/google/rowhammer-
test](https://github.com/google/rowhammer-test)

tl;dr: You check. Allocate some memory and hammer it. If you detect flips,
step 1 is complete.

