Flipping heck! Virtual machines hijacked via bit-meddling Feng Shui

Flip Feng Shui, quicker than the human eye

hong kong fuey

Security researchers at the Vrije Universiteit in Amsterdam have found a way to subvert virtual machines using a combination of hardware and software shenanigans. The end result is the ability to flip bits in another VM's memory to weaken its encryption or mess with its operation.

The attack, dubbed Flip Feng Shui, works by spinning up a virtual machine on a Linux-powered host, and filling a page of memory in the VM with data that's identical to a page in the victim's virtual machine.

So now you have two pages in the host's memory that are the same. Then along comes Linux's Kernel Samepage Merging feature, which deduplicates the two pages into one, so only one copy is physically held in the host server's RAM, but it still appears in each VM's memory map.

The next stage is to run a Rowhammer attack. This technique, demonstrated by Google engineers last year, involves rapidly writing and rewriting data to flip bits in adjacent memory locations. This works by forcing capacitor errors in the DRAM chips, and is successful even in newer DDR4 RAM sticks [PDF].

Using the Flip Feng Shui technique [PDF], the researchers successfully spammed the memory near the aforementioned deduplicated page in one virtual machine to flip the bits in the other guest machine. By doing this, they were able to weaken OpenSSH keys in Debian and Ubuntu systems.

In a second, they managed to alter the URL used by the operating system's package management tool so that it searched for software updates from a different server, allowing the injection of malware into the system during the next update. They also flipped the correct bits in the crypto-keys used to verify the authenticity of packages, so that the package manager would trust the dodgy software downloaded from the attacker-controlled repository.

Youtube Video

Despite the proofs of concept, this is not going to be a simple attack. Getting corresponding memory pages is going to take a lot of trial and error and it does depend on having susceptible hardware.

Nevertheless, the team has had a lot of success with similar attacks. They won a Pwnie Award this year at the Black Hat security conference in Las Vegas for Most Innovative Research after using similar deduplication attacks against Windows. ®


Biting the hand that feeds IT © 1998–2017