back to article Flipping heck! Virtual machines hijacked via bit-meddling Feng Shui

Security researchers at the Vrije Universiteit in Amsterdam have found a way to subvert virtual machines using a combination of hardware and software shenanigans. The end result is the ability to flip bits in another VM's memory to weaken its encryption or mess with its operation. The attack, dubbed Flip Feng Shui, works by …

  1. Chris Gray 1

    Easy to disable

    In case anyone reads comments but didn't follow the article's link to the docs, it is easy to disable this feature on a system. Also, if you rebuild your own kernel, there is a config flag to remove the feature completely.

    So, good to know about this attack, but nothing to panic about.

    1. Electron Shepherd

      Re: (Not so) Easy to disable

      The thing is, if your environment is one where you control the physical host, you probably also control all the VMs running on it, so there's no problem.

      If you are in a shared cloudy environment*, you almost certainly don't control the physical host and probably don't control all the VMs running on it.

      In other words, yes, you can disable the feature in software, but if you're in a position to do that, you aren't vulnerable anyway.

      *A cloudy environment is one where you can't see everything that's going on.

      1. a_yank_lurker

        Re: (Not so) Easy to disable

        This sounds like it could be a serious problem in some situations. Even if the configuration is "correct" in most it sounds like it will quite rare.

  2. h4rm0ny

    I'm safe on Windows 10

    Every time it updates itself it re-enables Hyper-V against my wishes and breaks my Virtualbox installation. They can't hack my VMs if they can't run them. Thanks Nadella!

  3. Destroy All Monsters Silver badge
    Paris Hilton

    Feng Shui???

    This sounds more akin to Wuxia Ninja Trickery, you know throwing special knifes that boomerang around in the bamboo forest etc. Technically unlikely. I am somehwat impressed.

    Wouldn't ECC correct rowhammer bitflips in any case? I hope ECC is still prevalent on servers...

    1. Nick Ryan Silver badge

      Re: Feng Shui???

      In theory ECC could help here, however the description seems to suggest more than just single bit flips which ECC would struggle to deal with.

    2. Ken Moorhouse Silver badge

      Re: ECC

      My feeling is that ECC memory won't help. All it will tell you is that an error has occurred. The reason being is that the ECC elements are simply extra elements of the vulnerable "modules" which will also be susceptible to having their states flipped. (ECC is a "participant observer")

      The whole thing about DDR is that it is by definition "fly by wire" to achieve the speed of access that it does. Refresh it too fast and you get corruption, don't refresh it fast enough and you get corruption. By stressing the power going into the circuitry harmonic frequencies are being created which are affecting the refresh rate of the RAM, pulling it out of tolerance, and hence corrupting it. A well designed power supply will help quench this waveform lumpiness, but if the circuit board design is not up to scratch then this can cause local impedance issues which wouldn't be relevant in normal operation.

      I wouldn't have thought that this kind of attack is reproducible in terms of which bits get flipped.

  4. Mage Silver badge

    Samepage Merging feature,

    Daft to have such feature across VMs.

    It's good to hear it can be turned off, though if you are using the so called Cloud?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Samepage Merging feature,

      Why is it daft?

  5. Old Handle

    Here's what I'm wondering...

    Is there any guarantee this same trick couldn't attack the host itself? Is VM RAM data stored in some way that makes it too different from other data in physical RAM so that it's impossible to make them match? Or is there anything else I'm missing about how this page merging feature works that would protect against this?

  6. David Roberts
    Paris Hilton

    When does (de)duplication take place?

    As far as I can see this only works on writable memory. Else how do you flip the bits rapidly?

    Sharing read only code between processes is as old as the hills.

    So apparently you need to take a copy of a writeable area of memory which remains unchanged long enough for deduplication to kick in. You then have two (or more) processes with write access to the same memory area?

    This just doesn't sound right because if you could do this you would have read and write access to the memory anyway and wouldn't need to do fancy bit flipping.

    I think you could identify a read only area of memory, and if you could identify the absolute hardware address then gain write access to physical memory very close to it you could go for rattling the cage. However, can you do this in a VM?

    Nope, beyond me.

  7. jake Silver badge

    "a Rowhammer attack. This technique, revealed by Google engineers last year,"

    It's been known since the early 1970s, actually, long before the goo-tards were even aware that DRAM existed ... in fact, before many of them were even born. We called the effect a more logical "induced disturbance errors", instead of the video game inspired "rowhammer", not being teh L33t 4ax0r5 that teh goo-tards are.

    1. Destroy All Monsters Silver badge

      Oh jake please. Since the early 70s, really? When there was 32 KiB discrete element memory and frequency on the bus was measured in kHz?

      "induced disturbance errors" must have been the high-falutin way of saying "there is crosstalk on the lines, somebody please get a soldering iron out". Not at all like "rowhammer" ... (does that name come from a vidya? I dunno)

      1. jake Silver badge

        Yes, the early 1970s, DAM.

        Even the brain-dead Wiki touches on it. See:

        https://en.wikipedia.org/wiki/Row_hammer#Overview

        FWIW, I played with this on a PDP11, back in the day.

        HTH, HAND

  8. This post has been deleted by its author

  9. clickbg

    Fix

    Just a few helpful links for you KVM guys out there:

    Disable per guest:

    https://www.ibm.com/support/knowledgecenter/linuxonibm/liaat/liaatbpkvmuseguest.htm

    Disable globally(RHEL)

    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/chap-KSM.html

    If you disable it globally best to list it in the xml of every VM too since update of libvirt may re-enable the ksm and ksmtuned service.

  10. Anonymous Coward
    Anonymous Coward

    OK, I accept this may be feasible

    but how on earth are you going to create a duplicate memory page without already having access to the other VM? ASLR etc would surely make this very tricky indeed to arbitrarily achieve duplication.

    So... how on earth do you duplicate a page without already having access to the target machine including keys to corrupt etc.

    I would also guess that this attack would show up in performance or hardware diagnostics too - it does not seem very discreet, even if it is effective.

  11. jms222

    Anything sensible and not cheapo desktop will have ECC memory and this won't work.

  12. Fruit and Nutcase Silver badge
    Coat

    Phooey

    Whilst I like the image accompanying the article, is there any evidence that Hong Kong Phooey was a practitioner of Feng Shui? He certainly was a student of martial arts, following the instructions in "The Hong Kong Book of Kung Fu" correspondence course.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon