On Thu, 15 May 2003, Nick May wrote:
[Regarding the article http://news.com.com/2100-1009_3-1001406.html?tag=fd_top ]
> >since I've *never* seen a piece of
> >hardware that's been fully secure given physical access to it.
>
> They shone a light on it. Physical access of a sort, true...
Well, I'm not sure what you mean by, "of a sort." You can't shine a
light on something if you don't have physical access to it. In terms of
smart cards and phones and suchlike, if you can shine a light on it, you
could also take it apart, or do anything else you wanted to do to it.
> ...hence my question about the sun - is that sufficient to flip a bit
> sufficiently interesting number of cases. Bluntly, could one write an
> applet have it downloaded by a sufficiently large number of people,
> then wait for the sun to shine and have your malicious code execute in
> just a few cases... ?
Unlikely, I think. The "shine a light on" quote is misleading. Let's
look a the the full quote:
There are smart cards that use Java that you could shine a light
on, flip a bit and get access to the card's data," he said.
...
The technique relies on the ability of energy to "flip bits" in
memory. While cosmic rays very occasionally can cause a random
bit in memory to change value, from 0 to 1 or from 1 to 0,
Govindavajhala decided not to wait. He used a lamp to heat up the
chips inside a computer and cause one or more bits of memory to
change.
So he didn't actually use light to execute his attack; he used an
unspecified amount of heat. For any kind of production system, this
has to be an abnormal amount of heat; if it were the kind of heat that
the system encountered under normal circumstances, the system itself
wouldn't work properly in the first place, because the memory would be
randomly flipping bits on a regular basis.
So if just waiting for the sun or a cosmic ray shower would work with
people's keitais, people's keitais would be malfunctioning when on sunny
days.
So I don't think we have to worry about malicious Java programs
violating the JVM security model on cards and phones to which that the
attacker does not have physical access.
> >And this is certainly not a bug in the java sandbox;
> Nowhere did they claim it was.
The first sentence of the article is:
A Princeton University student has shed light on security flaws in
Java and .Net virtual machines....
There's no question in my mind that this is patently false. This is
not a security flaw in either of the virtual machines; it's a security
flaw in the hardware. Saying it's a flaw in the VM is like saying that
someone's front door was insecure when the burglar came in through an
unlocked back window.
Indeed the system was compromised, but this was not due to any error or
problem with the VM.
> lamp. Of course an attack is possible if you have physical access and
> enough resources. But this is a TRIVIAL attack - hence my state of "gog".
Well, we don't know the details of what he did, but it may not be as trivial as all that. According to the article:
Govindavajhala attacked the system by adding his own code into
memory and then filling the remaining free memory with the address
of the new code.
Did he really do this with just Java?
> Judging by your response, I don't think you have read it fully. Which
> parts are sensationalist?
I did read it fully. I think the article, taken as a whole, gives an
impression that the security risks are greater than they really are. But
later I'll download and read the paper, and see how it compares to the
article.
cjs
--
Curt Sampson <cjs_at_cynic.net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
Received on Fri May 16 06:37:49 2003