Hacker News new | past | comments | ask | show | jobs | submit login

How long until someone uses this as the basis of an exploit? Maybe not root access, but if you can figure out an OS call that replicates the access pattern, you can corrupt machines just by interacting with them.

I'd start looking at this for ideas. It's a paper on using memory erros to break out of a java virtual machine. They didn't have a good way for generating them, so resorted to waiting.


There's no need for an OS call. Just userspace access to the same mapped memory is going to stay in the same physical page for far, far, longer than a few hundred thousand DRAM cycles. Obviously the hard part to an exploit would be locating those corrupt bits elsewhere in the system. That's going to depend entirely on the hardware layout of the DRAM chip.

And I guess ASLR would make it even harder.

ASLR only affects the virtual address space. The physical memory allocations are all probably unaffected by ASLR.

Not really; if the blocks of memory you allocate are not the desired distance apart, just try again... or allocate a block big enough to guarantee it, then start the alternate read sequence to trigger corruption. Of course this assumes you can already run your code on the machine e.g. in a VM.

One wonders if this has already been used in a exploit.

A good first check for security companies - examine all known attacks for fence instructions, which are rare. (Without a fence instruction, hammering on the same addresses will just cycle the caches, and not go out to DRAM.) Look at the code near them for a hammering loop.

This is a promising attack, because it might be able to break through a virtual machine boundary.

A test for this should be shipped with major Linux distros, and run during install. When someone like Amazon, Rackspace, or Google sends back a few thousand machines as rejects, this will get fixed.

Fences neither guarantee, nor are required, to hit RAM. You are thinking of flush (for writes) and invalidate (for reads). Alternatively, just ping N+1 addresses that share a cache slot (where N is the way-ness of your cache).

(Fences guarantee only memory ordering, and are typically implemented by flushing to cache, not to RAM.)

I'm curious if it's possible to use this to execute a Bellcore-type fault injection attack against RSA signatures.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact