[13294] in cryptography@c2.net mail archive
Hacking tool sees the light
daemon@ATHENA.MIT.EDU (Damien O'Rourke)
Fri May 16 12:03:48 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Damien O'Rourke" <orourked@eeng.dcu.ie>
To: <cryptography@metzdowd.com>
Date: Thu, 15 May 2003 12:07:19 +0100
http://www.globetechnology.com/servlet/story/RTGAM.20030514.gtflipmay14/B=
NStory/Technology/
By Robert Lemos
CNET=20
=20
=20
=20
=20
=20
BERKELEY, Calif. - A Princeton University student has shed light =
on security flaws in Java and .Net virtual machines by using a lamp, =
some known properties of computer memory and a little luck.
An attack requires physical access to the computer, so the =
technique poses little threat to virtual machines running on PCs and =
servers. But it could be used to steal data from smart cards, asserts =
Sudhakar Govindavajhala, a computer-science graduate student at =
Princeton who demonstrated the procedure here Tuesday.
"There are smart cards that use Java that you could shine a light =
on, flip a bit and get access to the card's data," he said.
Mr. Govindavajhala presented the paper at the Institute of =
Electrical and Electronic Engineers (IEEE) Symposium on Security and =
Privacy.
The technique relies on the ability of energy to "flip bits" in =
memory. While cosmic rays very occasionally can cause a random bit in =
memory to change value, from zero to one or from one to zero, Mr. =
Govindavajhala decided not to wait. He used a lamp to heat up the chips =
inside a computer and cause one or more bits of memory to change.
By doing so, the researcher broke the security model virtual =
machines rely on: That the computer faithfully executes its instruction =
set.
"You have broken out of the sandbox," Mr. Govindavajhala said.
Virtual machines are software programs that emulate a virtual =
computer entirely within the host computer's memory. The programs are =
used to allow software to run on multiple platforms. For example, Java =
applets can execute on a virtual machine running on the Windows, Linux =
or Mac operating system. Another feature of such virtual machines is =
that they keep applets contained to a software "sandbox" - preventing =
them from affecting the data on the computer.
Mr. Govindavajhala attacked the system by adding his own code into =
memory and then filling the remaining free memory with the address of =
the new code. He found that if he could fill 60 per cent of memory with =
the addresses, a random bit flip would instead cause his attack code to =
run more than 70 per cent of the time. In the remaining instances, a key =
program on the computer would crash.
Fred Cohen, a principal analyst with technology consultancy The =
Burton Group, said people who created virtual machines didn't take into =
account this possible attack method.
"Here is a case where people thought they had thought of =
everything, but they hadn't," he said.
Mr. Cohen added that even if distrusted applications are contained =
to a sandbox, they can still be dangerous. "If you let people run =
programs in your computer," he said, "then there is a chance they can do =
what they want."
Mr. Govindavajhala's technique could be useful in stealing data =
from smart cards, which look like credit cards but have memory and a =
simple processor implanted in the card. Since getting a hold of =
someone's smart card is much easier than cracking the case on a PC, the =
attack would be feasible.
"Certainly there are some smart cards that this could work on," =
Mr. Cohen said. "There are all sorts of handheld devices where such an =
attack has potential to do harm as well."
In addition to such devices, the attack could have some =
implications for so-called trusted computing systems, such as =
Microsoft's next-generation secure computing base, formerly known as =
Palladium. Mr. Govindavajhala hadn't studied the effects of his =
error-inducing techniques on such a system, however.
Yet, the student researcher did point out that as processors and =
memory get faster, the energy needed to induce bit flips becomes =
smaller, suggesting that his technique will only become more effective =
as time goes on.
=20
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
