Version Tomorrow is the first day of the rest of your life
lecture: Flip Feng Shui
Advanced Rowhammer exploitation on cloud, desktop, and mobile
In 2016, the VUSec system security group from Vrije Universiteit Amsterdam published three top-notch research papers on the topic of Rowhammer exploitation, leading to international media attention and even a prestigious PWNIE award. In this talk, we present key concepts of our research and provide an introduction to Rowhammer exploitation to the public. We describe how attackers can use the Flip Feng Shui exploitation vector to reliably attack cloud, desktop, and mobile platforms.
Rowhammer is a hardware bug that allows attackers to manipulate data in memory without accessing it. More specifically, by reading many times from a specific memory location, somewhere else in memory a bit may flip: a one becomes a zero, or a zero becomes a one.
Our recent exploits are instances of Flip Feng Shui (or FFS) - a novel exploitation vector that allows an attacker to compromise system software with high reliability, even if recently proposed software defenses are in place. Flip Feng Shui relies on 1) predictable memory management behavior and 2) reproducible bit flips in the memory subsystem. Perhaps surprisingly, we found that both requirements are quite common in devices that we use today as we were able to identify primitives on desktop, cloud, and mobile platforms. We show that Flip Feng Shui is extremely powerful: we compromise Microsoft Edge in a desktop setting (known as Dedup), OpenSSH and apt-get in the cloud (known as Flip Feng Shui), and ultimately build a sophisticated attack that can root Android devices from an untrusted app (Drammer). None of our attacks rely on any software vulnerability.
Besides technical details, we will show (recored, sorry) demos for each exploit and also detail stories on the responsible disclosure process.