Compromising Linux virtual machines via FFS Rowhammer attack

A group of Dutch researchers have demonstrated a variant of the Rowhammer attack that can be used to successfully compromise Linux virtual machines on cloud servers.

The Flip Feng Shui (FFS) attack is not performed by triggering a software vulnerability. Instead, it relies on exploiting the widespread Rowhammer DRAM glitch to induce bit flips in controlled physical memory pages, and the Linux’ memory deduplication system.

Compromising Linux virtual machines by taking advantage of memory deduplication

A short version of the attack sequence goes like this:

“An attacker rents a virtual server on the same host as your virtual server. Next, the attacker ensures that the hypervisor deduplicates a certain part of the memory that both virtual servers share. That means that both systems store certain information that they both process, in the same part of the physical memory. By employing the so-called rowhammer technique, the attacker is able to change the information in this memory without the hypervisor or your virtual server noticing.”

The researchers were able to perform two attacks on servers running Debian and Ubuntu. In the first one they made the server download malware instead of a software update, and in the second one they managed to access the target’s VM by corrupting their OpenSSH public keys.

According to a fact sheet published by the National Cyber Security Centre (NSCS) of the Dutch government, the attack can be leveraged against virtual machines on workstations as well as servers, but the attacker needs to have access to another virtual machine on the same host.

As the researchers didn’t publish attack code, replicating these attacks is out of reach for most low level attackers, but not for a criminal organization or a foreign intelligence service, NSCS noted.

Temporary solutions to this problem include disabling memory deduplication in the configuration of the hypervisor, or switching to (less efficient) zero-page deduplication.

The researchers informed OpenSSH, GnuPG, VM monitor vendors, and Debian and Ubuntu of the results of their researcher, and GnuPG has already strengthened their key signature checks to protect against the attack.

More technical details about the attack and video demonstrations can be found here and here.