Something everyone in security should learn is that, when the consequences and impacts are high enough, it's advantageous...
to retain scenarios that are relatively unlikely to occur in the threat model. Take, for example, the recent Flip Feng Shui exploitation vector outlined by students from the Vrije Universiteit Amsterdam in the Netherlands.
The technique is as potentially dangerous to cloud customers as it is unexpected and clever: It involves leveraging memory management features (specifically deduplication) to create a situation of maximum impact for Rowhammer, breaking hypervisor isolation in the process. In other words, it's an attack against the segmentation model in a hypervisor context -- something that many organizations' cloud threat models assume will never happen.
What is Flip Feng Shui?
Flip Feng Shui involves finding and flipping one or more single bits across a virtualization boundary. This means one virtual machine (VM) on a hypervisor is flipping bits inside a different VM on the same physical host. There are two reasons this works: memory deduplication and Rowhammer. It's important to understand both of these to comprehend how Flip Feng Shui works on a technical level.
First, let's talk about memory deduplication. This is a feature designed to maximize efficiency and performance in a data center context. Imagine a hypervisor running identically configured instances of, for example, Linux (e.g., something running a LAMP stack). Since these slices are all configured identically, imagine how much of the storage and memory of those machines is redundant -- in an identical state at any given point in time. Memory deduplication helps to minimize that waste: Instead of the system maintaining multiple memory pages that are identical, it retains only one, which it shares everywhere that same page appears. So, for example, two different virtual machine instances might be pointing to the same page of memory -- and it's owned by them both at the same time.
Second, there is Rowhammer. Rowhammer is a hardware-level issue that can lead to someone intentionally changing the charged state of individual capacitors within dynamic RAM (DRAM) by crafting access patterns designed to cause that disruption. Because the charged state of the DRAM represents the value stored within it (either on or off, charged or not charged, one or zero), these access patterns can alter other memory space in an out of band way.
Flip Feng Shui works by finding memory space on a running virtual machine where a bit flip could occur such that it has a desirable impact from the attacker's point of view (memory templating). This will create the conditions whereby memory is laid out in such a way that the bit flip is controllable by the attacker (memory massaging). Finally, the attacker executes the bit flip such that the memory of the target is corrupted (exploitation).
Who cares if you can flip an individual bit across a virtualization boundary? Well, it turns out that you can do a lot with one bit. The paper describes mechanisms to flip bits in SSH public keys to make them easily factored (thereby undermining authentication) or to change the trusted software repositories for system updates (thereby allowing installation of arbitrary software on the host.) So, in essence, with one bit, you can do whatever you want to the target system.
Remediation and lessons learned
From a practical point of view, practitioners will obviously want to take measures to protect against this type of attack in the short term. What can they do? The Flip Feng Shui paper suggests disabling memory deduplication features in a multi-tenant context.
Now, obviously, not every cloud customer will have control over that -- or even know what configuration state the cloud providers have on the cloud services that customer uses. This means that the customer has some legwork to do in a multi-tenant situation with a public cloud provider. Specifically, it's up to the customer to ask questions about the configuration state and, based on risk tolerances, employ services where the configuration state is known and/or knowable (e.g., bare-metal cloud).
Longer term, though, there is a broader implication. Specifically, cloud customers can be tempted to ignore isolation attacks. Meaning, very often, threat modeling scenarios do not even include isolation attacks in their risk/countermeasure calculus. This is problematic in the face of a situation like Flip Feng Shui.
While isolation attacks are rare, they are not impossible, and they do happen from time to time. As such, it is important to incorporate layered defenses and to specifically account for isolation attacks in risk modeling and risk mitigation scenarios.
Learn how to mitigate a bit flipping flaw caused by Rowhammer exploits
Check out some recent backup data deduplication advancements
Discover the difference between block-level deduplication and zone-level deduplication