(keitai-l) Re: bitflipping out of the sandbox

From: Tim Romero <t3_at_vgkk.com>
Date: 05/18/03
Message-Id: <20030518184642.1287.T3@vgkk.com>
Ben,

> > Bit-flipping "attacks" are interesting academically, perhaps, but I fail
> > to see how it is a security concern. The attack requires both physical
> > access to the hardware and low level access to the operating system.
> It requires neither of these.  Clearly you didn't read the paper.
        I did actually, but perhaps I misunderstood. The authors had a
light bulb centimeters away from chips. I don't see how this can be
accomplished without physical access. 

> The program is carefully designed so that the 'random memory
> location', which is actually likely to be just one bit different from
> the correct one, will probably be that of an instance of the other
> class.  I can't remember exactly how it does that.  The result is that
> the program has a reference of type A and a reference of type B to the
> *same* block of memory.  It can then set the int member through the A
> reference and use it as an Object reference through the B reference.
    Well since we don't know what bit will be flip, we can't say what
value will be changed or where it will start reading, right? But walk me
though this. The VM now has two objects of different types referencing
the same memory location. Now what? We are still in the sandbox in this
case. 

If the flipped bit takes us out of the sandbox, which of course it could,
we have no way of knowing what will be at that location. But at least
now we have a reference out of the sandbox. If you know what's there,
you have some options, but of course you have no clue where you are.
Granted, you can write whatever crap you want into it, but I don't see
how you can get the computer to execute anything.


> > It's Rube Goldberg security attack. 
> Wrong - you can embed this as a trojan horse in an apparently useful
> applet or a servlet or something like that, which you get someone else
> to run on their machine.  They think it's restricted in a sandbox, but
> actually it can break out.  It's an attack that will work on many PCs.
        I just don't see how this can work in the real world. Perhaps
you can explain. Granted, a light-bulb or a cosmic ray can screw up a
computer's memory. It can result in a program witting to a part of
memory that it should not be witting to. OK, that's a cool parlor trick,
but I don't see how it is any more dangerous than just sticking a
lightbulb over my CPU with no malicious code running. 

Tim
Received on Sun May 18 15:23:25 2003