(keitai-l) Re: bitflipping out of the sandbox

From: Ben Hutchings <ben_at_decadentplace.org.uk>
Date: 05/17/03
Message-ID: <20030517152949.GO15302@decadentplace.org.uk> 
On Sat, May 17, 2003 at 02:37:37PM +0900, t3@t3.org wrote:
> 
> Bit-flipping "attacks" are interesting academically, perhaps, but I fail
> to see how it is a security concern. The attack requires both physical
> access to the hardware and low level access to the operating system.

It requires neither of these.  Clearly you didn't read the paper.

> 1) First you load a malicious program into non-sandbox memory.
> 
> 2) You then fill all the computer's available memory with the address of
> the malicious program. 

The malicious program fills memory with objects of two different
classes - class A has an member of type int (or maybe long) whereas
class B has a member of type Object.  The sandbox limits what Java
applications can do but not necessarily the amount of memory they can
allocate.

> 3) You then apply heat - or any kind of energy - to the CPU causing a
> hardware error that will cause the CPU to jump to a random memory
> location.

No, the program spins its wheels until it detects a change in an
object reference.  There are many badly built PCs which will overheat
if you make full use of them for a few minutes.

The program is carefully designed so that the 'random memory
location', which is actually likely to be just one bit different from
the correct one, will probably be that of an instance of the other
class.  I can't remember exactly how it does that.  The result is that
the program has a reference of type A and a reference of type B to the
*same* block of memory.  It can then set the int member through the A
reference and use it as an Object reference through the B reference.

> This will either cause the computer to crash or to execute the
> malicious code that you have loaded previously. 
> 
> If you can do either step one or two, there is no need for step three.
>
> It's Rube Goldberg security attack. 

Wrong - you can embed this as a trojan horse in an apparently useful
applet or a servlet or something like that, which you get someone else
to run on their machine.  They think it's restricted in a sandbox, but
actually it can break out.  It's an attack that will work on many PCs.

-- 
Ben Hutchings  |  personal web site: http://womble.decadentplace.org.uk/
If the facts do not conform to your theory, they must be disposed of.
Received on Sat May 17 18:32:09 2003