If I understood correctly, this is orders of magnitude worst that RowHammer, as it is kind of passive: you set some program to do the RowHammer side, within its own memory space, and then use RAMBleed to see changes from memory cells, not exactly the ones that were RowHammered. Is that it ?
> a bit is more likely to flip when the bits above and below it have the opposite charge. ... To exploit this effect, we developed novel memory massaging techniques to carefully place the victim's secret data in the rows above and below the attacker's memory row.
The secret data has to be duplicated, column aligned, and have a single unallocated row between it. Controlling the alignment of the secret data seems like a major complication for realistic exploitation.
Edit: The strategy in the paper requires allocating a bunch of physical memory from all the small blocks so that memory allocation requests from a new process are allocated deterministically to a desired physical row.
> Edit: The strategy in the paper requires allocating a bunch of physical memory from all the small blocks so that memory allocation requests from a new process are allocated deterministically to a desired physical row.
Honest question, because I'm not a security expert: can you do this without having already pwned your target to such a degree that this would be unnecessary?
However, historically, these sorts of attacks always get better, not worse.
And while even that can sometimes be empty rhetoric, I will say in the last 5 years I'm seeing a lot of security attacks that are already well beyond what even my moderately-trained intuition would suggest are possible, so I have to admit I've sort of given up on trying to guess on whether or not an attack can be made practical. I've seen too many mind-blowing presentations from security researchers to think I can bound their abilities safely. I wouldn't care to bet that they won't move the attacks I already am flabbergasted can exist to some other even-more practical attack that I am flabbergasted can exist.
This is unrelated to the current matter, but let me give you an example: https://www.youtube.com/watch?v=_eSAF_qT_FY If you think that's trivially obvious, and you're confident you can predict how these sorts of things will play out in the future, more power to you, but I'm certainly not justified in that belief at my skill level. I'm just happy I can follow that presentation!
Yeah, it seems that whenever an exploit "doesn't seem practical for actual use" it is just one more exploit-in-the-chain away from being operationalized.
So many systems have unspecified, undocumented and undertested behaviors that have not been exploited only because no one has ever tried.
Presumably there would be value in releasing the "impractical for actual use" version to the public after you have already operationalized and not before.
> Honest question, because I'm not a security expert: can you do this without having already pwned your target to such a degree that this would be unnecessary?
The paper describes strategies for manipulating a target box into doing just this.
I am also not a security expert, but it seems like VM's that are shared in the cloud are the targets for a lot of these types of attacks. You don't need to pwn the other VM, but you don't exactly get to choose which VM's you cohabitate with to target your attacks.
