Lady bird
Ben Gras profile image

Ben Gras

Part of Systems Security Research Group at the Vrije Universiteit Amsterdam

Kaveh Razavi profile image

Kaveh Razavi

Security Researcher at the Vrije Universiteit Amsterdam

Ben Gras & Kaveh Razavi

Talk Title

Shaking trust in hardware: Attacks on hardware from software, Rowhammer and an MMU side channel from Javascript

Talk Abstract

In the abstraction stack we are accustomed to, software relies on hardware to function properly and be a secure platform on which to develop systems software and applications.

In this talk we show how this assumption can break down. If the hardware fails us, all bets are off. The Rowhammer work (also known as Flip Feng Shui) shows how it is possible, using a hardware glitch (known as Rowhammer), to cause corruption on a co-hosted victim VM. A hardware glitch such as this is hard to aim (to cause the intended corruption reliably); with Flip Feng Shui we use an OS technique (memory deduplication) and repeatability to make the exploit targeted and reliable.

Similarly, the MMU Cache Side-Channel shows that the MMU leaks traces of its activities by caching the results of memory lookups. By careful timing, and memory accesses causing cache evictions, we are able to compute which address the MMU is translating. We show this signal is visible even from Javascript and can therefore be used to break ASLR in the Javascript sandbox, making memory bug exploitation easier to do. This is a fundamental micro-architectural property in the CPU, and so it is interesting to see that it can be exploited from the very top of the application stack.

Speaker Bio

Ben Gras has been part of the systems security research group at the Vrije Universiteit Amsterdam since 2015. Previously, he was a scientific programmer working on the Minix operating system under Andy Tannenbaum for 10 years. He has published on various offensive security techniques and is currently pursuing a PhD in mischief.

Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently mostly interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from Sharif University of Technology, Tehran, an MSc from ETH Zurich and a PhD from Vrije Universiteit Amsterdam.