[ISN] New hacking tool sees the light

From: InfoSec News (isnat_private)
Date: Tue May 13 2003 - 22:14:51 PDT

  • Next message: InfoSec News: "Re: [ISN] T-Mobile Hotspot uses SSN for passphrase"

    http://news.com.com/2100-1009_3-1001406.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    May 13, 2003
    
    BERKELEY, Calif.--A Princeton University student has shed light on
    security flaws in Java and .Net virtual machines using a lamp, some
    known properties of computer memory and a little luck.
    
    An attack requires physical access to the computer, so the technique
    poses little threat to virtual machines running on PCs and servers.  
    But it could be used to steal data from smart cards, said Sudhakar
    Govindavajhala, a computer-science graduate student at Princeton who
    demonstrated the procedure Tuesday.
    
    "There are smart cards that use Java that you could shine a light on,
    flip a bit and get access to the card's data," he said. Govindavajhala
    presented the paper at the Institute of Electrical and Electronic
    Engineers (IEEE) Symposium on Security and Privacy here.
    
    The technique relies on the ability of energy to "flip bits" in
    memory. While cosmic rays can very occasionally cause a random bit in
    memory to change value, from 0 to 1 or from 1 to 0, Govindavajhala
    decided not to wait. He used a lamp to heat up the chips inside a
    computer and cause one or more bits of memory to change.
    
    By doing so, the researcher broke the security model that virtual
    machine's rely on--that the computer faithfully executes its
    instruction set.
    
    "You have broken out of the sandbox," Govindavajhala said.
    
    Virtual machines are software programs that emulate a virtual computer
    entirely in the host computer's memory. The programs are used to allow
    software to run on multiple platforms. For example, Java applets can
    execute on a virtual machine running on Windows, Linux or the MacOS.  
    Another feature of such virtual machines is that they keep applets
    contained to a software "sandbox"--preventing them from affecting the
    data on the computer.
    
    Govindavajhala attacked the system by adding his own code into memory
    and then filling the remaining free memory with the address of the new
    code. He found that, if he could fill 60 percent of memory with the
    addresses, a random bit flip would cause his attack code to run
    instead more than 70 percent of the time. In the remaining instances,
    a key program on the computer would crash instead.
    
    Fred Cohen, a principal analyst with technology consultancy The Burton
    Group, said that people who created virtual machines didn't allow for
    this possible attack.
    
    "Here is a case where people thought they had though of everything,
    but they hadn't," he said, adding that even with sandboxing untrusted
    applications, they can still be dangerous. "If you let people run
    programs in your computer, then there is a chance they can do what
    they want."
    
    The technique could be useful in stealing data from smart cards, which
    look like credit cards but have memory and a simple processor
    implanted in the card. Since getting a hold of someone's smart card is
    much easier than cracking the case on their PC, the attack would be
    feasible.
    
    "Certainly there are some smart cards that this could work on," Cohen
    said. "There are all sorts of handheld devices where such an attack
    has potential to do harm as well."
    
    In addition to such devices, the attack could have some implications
    for trusted computing systems, such as Microsoft's next-generation
    secure computing base, formerly known as Palladium. Govindavajhala
    hadn't studied the effects of his error-inducing techniques on such a
    system, however.
    
    Yet, the student researcher did point out that as processors and
    memory get faster, the energy needed to induce bit flips becomes
    smaller, suggesting that his technique will only become more
    effective.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 14 2003 - 00:28:56 PDT