Cloud hacking trick allows undetectable changes to VM memory
Fri 12 Aug 2016
Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud.
The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS) in a paper titled Flip Feng Shui: Hammering a Needle in the Software Stack. They explained hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed.
The de-duplication attack enables third parties to not only view and leak data, but also to modify it – installing malware or allowing unauthorised logins.
Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer.
This allows the hacker to change information in the general memory of the computer. The attack can be achieved using a hardware bug called Rowhammer, which causes flip bits from 0 to 1 (or vice versa) to pick out vulnerable memory cells and change them.
The researchers, led by cybersecurity professor Herbert Bos, outlined two demonstrations on the operating systems Debian and Ubuntu. The first test saw FFS establish connection to a VM through a compromised SSH session. This was enabled by changing the victim’s RSA public key with one bit. In the second demonstration, the researchers were able to install a corrupt software package with apt-get by altering a URL.
Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue. The Dutch government’s National Cyber Security Centre (NCSC) has also updated its fact sheets to include information and advice of FFS.