There has been significant media coverage over the CPU flaws known as meltdown and spectre. In the wake of one of our researchers, using only public information and speculation, reproducing the bug before the embargo got lifted, the vusec group has been asked to comment in several pieces, including tweakers.net, wired.com, volkskrant.nl, nos.nl, HBO Vice news tonight (video), news.com.au.
Prof. Herbert Bos, Prof. Michel van Eeten, and Prof. Bart Jacobs on the 24th released a joint Dutch statement and proposal on the inadequacy of academic cybersecurity funding in The Netherlands. Funding that is up to 50x higher in neighboring countries is causing a drain of talented researchers away from The Netherlands.
Cybersecurity Investment Proposal
The proposal calls for the development of a three-pronged strategy to maintain the high academic standard of Dutch research organizations, funded by in total a budget of €100 million over 10 years, in a combination of public and private investment.
- €40M (public): fund open tenders for non-permanent PhD and postdoc projects, where both pure-CS and interdisciplinary proposals will be considered. Examples might be legal, medical and organizational fields.
- €20M (public): a budget of €2M/year for which universities may apply to either (a) hire permanent staff for a newly appointed cybersecurity professor; or (b) retain staff, done by a cybersecurity professor with at least 5 years proven record, to establish areas of new research.
- €40M (private): The establishment of a pool of inter-organizational cybersecurity experts. The organizations will be a combination of research, government and industrial organizations that host the members. These members will then share knowledge, deepen knowledge (by following an external or industrial PhD program), and provide operational expertise in emergencies.
Herbert was interviewed on BNR Radio (Dutch). The interview is mostly about Rowhammer vulnerabilities.
On March 2nd, Herbert and his dog were interviewed for De Kennis van Nu on Dutch national TV. (Dog enters 13m43s into the show.)
Press outlets and other organisations have picked up on this work: wired, arstechnica, ACM Tech News, NCSC, bleepingcomputer.com, Tom’s Hardware, security.nl, theregister, tweakers.net, digitaljournal.com, CSO Australia, hackaday, slashdot, securityweek.com, heise.de, theinquirer.net, itnews.com.au, eejournal.com, habrahabr.ru, impress.co.jp, paper.li, boingboing.net.
RTL Nieuws (TV, Dutch) reported on the vulnerabilities in computers used in Dutch elections. Asked for a reaction, Herbert agrees this looks bad. A few days later, the government decided to stop using the vulnerable systems. On Feb. 1st, the New York Times also reported on this.
Last month, Victor and Herbert gave a lecture about buffer overflows and return-oriented programming on Dutch national TV.
Drammer was presented at CCS 2016 3 weeks ago. Our work shows that the Rowhammer hardware vulnerability is prevalent on mobile devices and that attackers can exploit it in a deterministic manner (a la Flip Feng Shui).
Press, Vendor Coverage & Discussion
After initial coverage in the form of two written articles by Ars Technica and WIRED, and a podcast from Security Now!, Drammer was quickly picked up by the mainstream press. International items include: Daily Mail, PCWorld, Softpedia, Slashdot, Tech Times, The Register, Fossbytes, The Inquirer, Digital Journal, Hack Read, SC Magazine, Threatpost, BetaNews, Gamenguide, TechTarget, BleepingComputer, NDTV, On the Wire, and InvestorPlace.
Other local items popped up in Argentina (Segu-info), Austria (Der Standard), Belgium (DeMorgen), China (Freebuff, Sohu, EEPW), Czech Republic (Svět Androida), Denmark (Version2), France (Silicon, Le Monde Informatique, Informanews), Germany (Der Spiegel, Golem.de, Pro-Linux, Crn.de, JAXenter, Computer Bild , t3n Magazine, Netzwelt.de), Hungary (HWSW), Italy (Repubblica.it, Punto Informatico, Gadgetblog.it, Tutto Android), Mexico (PCWorld Mexico), The Netherlands (NU.nl, Tweakers.net, Crimesite), Norway (Digi.no), Poland (eGospodarka, Softonet, PCLab.pl, Dobreprogramy, PC Format, Telix.pl), Russia (Хакер, Securitylab.ru), Slovakia (Živé.sk), Spain (López Dóriga, CSO, El Android libre), Switzerland (Neue Zürcher Zeitung), Taiwan (iThome), Turkey (Teknokulis, CHIP, Webtekno), and Ukraine (KO).
Bruce Schneier linked to our project page and we made it to the front page of The Hacker News. Shortly after, Drammer prompted Rowhammer mitigation efforts on LWN and was discussed by Linus Torvalds on Alan Cox’ Google Plus post. We caused a spike in Google queries for Rowhammer, approaching its popularity from 2015, when Google’s Project Zero released the Rowhammer-based exploit.
Drammer made an appearance on Dutch national television in an episode of De Universiteit van Nederland (“The University of The Netherlands”).
Flip Feng Shui was presented at USENIX Security 2016 2 weeks ago. This novel attack technique combines a hardware vulnerability with a physical memory massaging primitive to mount a reliable attacks anywhere in the software stack. In particular, we demonstrate practical cross-VM attacks on OpenSSH and GnuPG using Rowhammer and KSM.
Given its practical impact, the Dutch National Cybersecurity Centre took the lead in disclosing Flip Feng Shui. They initiated disclosure to their counterparts in several other countries, as well as to application vendors, OS vendors, hypervisor vendors, and cloud providers. Prior to our talk at USENIX Security, the details of this technique were kept private.
Press & Vendor Coverage
The press has also picked up on this and there is quite some coverage. Arstechnica has a thorough piece on this work. Steve Gibson described Flip Feng Shui as “the most incredibly righteous and sublime hack… ever” in one of the Security Now! podcasts. WIRED also has the right idea: Forget Software—Now Hackers Are Exploiting Physics. Bruce Schneier posted a news item on his blog and there are podcasts by Risky Business (http://risky.biz/RB422 @ 31:40). Other international news items include: The Register, Infoworld, Slashdot, The Stack, Softpedia, Science Daily, and CORDIS.
Other local items popped up in China (Tech.qq.com, Sohu), Finland (Viestintävirasto), France (Silicon), Germany (Deutschlandfunk), Italy (Repubblica.it, HostingTalk), The Netherlands (Security.nl, Computable, Tweakers.net), Poland (Sekurak), Russia (Securitylab.ru), Spain (WWWhat’s new), Ukraine (KO).
Our Dedup+Rowhammer research made it to various international publications, including The Register, SearchSecurity (with mistakes), Softpedia, TechTarget, Risky Business (http://risky.biz/RB414 @ 13:37), and others.
The slides from Erik Bosman’s S&P 2016 talk are here.