Data Centre


Flipping heck! Virtual machines hijacked via bit-meddling Feng Shui

Flip Feng Shui, quicker than the human eye

By Iain Thomson in San Francisco


Security researchers at the Vrije Universiteit in Amsterdam have found a way to subvert virtual machines using a combination of hardware and software shenanigans. The end result is the ability to flip bits in another VM's memory to weaken its encryption or mess with its operation.

The attack, dubbed Flip Feng Shui, works by spinning up a virtual machine on a Linux-powered host, and filling a page of memory in the VM with data that's identical to a page in the victim's virtual machine.

So now you have two pages in the host's memory that are the same. Then along comes Linux's Kernel Samepage Merging feature, which deduplicates the two pages into one, so only one copy is physically held in the host server's RAM, but it still appears in each VM's memory map.

The next stage is to run a Rowhammer attack. This technique, demonstrated by Google engineers last year, involves rapidly writing and rewriting data to flip bits in adjacent memory locations. This works by forcing capacitor errors in the DRAM chips, and is successful even in newer DDR4 RAM sticks [PDF].

Using the Flip Feng Shui technique [PDF], the researchers successfully spammed the memory near the aforementioned deduplicated page in one virtual machine to flip the bits in the other guest machine. By doing this, they were able to weaken OpenSSH keys in Debian and Ubuntu systems.

In a second, they managed to alter the URL used by the operating system's package management tool so that it searched for software updates from a different server, allowing the injection of malware into the system during the next update. They also flipped the correct bits in the crypto-keys used to verify the authenticity of packages, so that the package manager would trust the dodgy software downloaded from the attacker-controlled repository.

Despite the proofs of concept, this is not going to be a simple attack. Getting corresponding memory pages is going to take a lot of trial and error and it does depend on having susceptible hardware.

Nevertheless, the team has had a lot of success with similar attacks. They won a Pwnie Award this year at the Black Hat security conference in Las Vegas for Most Innovative Research after using similar deduplication attacks against Windows. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

3 is the magic number (of bits): Flip 'em at once and your ECC protection can be Rowhammer'd

Dutch boffins prove it is possible to evade memory-busting attack mitigations

Oh, great, now there's a SECOND remote Rowhammer exploit

Send enough crafted packets to a NIC to put nasties into RAM, then the fun really starts

RAM, bam, awww ... man! Boffins defeat Rowhammer protections

New attack flips bits in uerspace binaries for fun and p0wnage

IBM attempts to graft virtual machine security onto container flexibility

Nabla Containers promises reduced attack surface through fewer system calls

Rowhammer RAM attack adapted to hit flash storage

Project Zero's two-year-old dog learns a new trick

Rowhammer returns, Spectre fix unfixed, Wireguard makes a new friend, and much more

Roundup And NSA can't stop slurping your phone records

Rowhammer strikes networks, Bolton strikes security jobs, and Nigel Thornberry strikes Chrome, and more

Roundup Hacking laws in the limelight in Georgia and DC, plus new iPhone anti-tampering

Epyc fail? We can defeat AMD's virtual machine encryption, say boffins

Updated Evil hypervisors can lift plaintext info out of ciphered memory, it is claimed

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

App proves Rowhammer can be exploited to root Android phones – and there's little Google can do to fully kill it

Hardware vuln strikes 18 of 27 tested mobes