During the ICT.Open 2017 conference in de Flint Amersfoort, Victor won the best Dutch Cyber Security Research Paper (DCSRP) award for Drammer. Published at the CCS’16 conference in Vienna, Drammer shows hardware bit flips on mobile devices and their reliable exploitation for the first time.
DCSRP recognizes the best recent non-commercial scientific cyber security research paper in the Netherlands. More information can be found here.
Drammer was presented at CCS 2016 3 weeks ago. Our work shows that the Rowhammer hardware vulnerability is prevalent on mobile devices and that attackers can exploit it in a deterministic manner (a la Flip Feng Shui).
After initial coverage in the form of two written articles by Ars Technica and WIRED, and a podcast from Security Now!, Drammer was quickly picked up by the mainstream press. International items include: Daily Mail, PCWorld, Softpedia, Slashdot, Tech Times, The Register, Fossbytes, The Inquirer, Digital Journal, Hack Read, SC Magazine, Threatpost, BetaNews, Gamenguide, TechTarget, BleepingComputer, NDTV, On the Wire, and InvestorPlace.
Other local items popped up in Argentina (Segu-info), Austria (Der Standard), Belgium (DeMorgen), China (Freebuff, Sohu, EEPW), Czech Republic (Svět Androida), Denmark (Version2), France (Silicon, Le Monde Informatique, Informanews), Germany (Der Spiegel, Golem.de, Pro-Linux, Crn.de, JAXenter, Computer Bild , t3n Magazine, Netzwelt.de), Hungary (HWSW), Italy (Repubblica.it, Punto Informatico, Gadgetblog.it, Tutto Android), Mexico (PCWorld Mexico), The Netherlands (NU.nl, Tweakers.net, Crimesite), Norway (Digi.no), Poland (eGospodarka, Softonet, PCLab.pl, Dobreprogramy, PC Format, Telix.pl), Russia (Хакер, Securitylab.ru), Slovakia (Živé.sk), Spain (López Dóriga, CSO, El Android libre), Switzerland (Neue Zürcher Zeitung), Taiwan (iThome), Turkey (Teknokulis, CHIP, Webtekno), and Ukraine (KO).
Bruce Schneier linked to our project page and we made it to the front page of The Hacker News. Shortly after, Drammer prompted Rowhammer mitigation efforts on LWN and was discussed by Linus Torvalds on Alan Cox’ Google Plus post. We caused a spike in Google queries for Rowhammer, approaching its popularity from 2015, when Google’s Project Zero released the Rowhammer-based exploit.
The Drammer paper (pdf) was accessed over 25k times, while our github repository received 913 unique views and 83 unique clones.
Drammer made an appearance on Dutch national television in an episode of De Universiteit van Nederland (“The University of The Netherlands”).
Our Drammer paper and information page are finally online. Flip Feng Shui (aka deterministic Rowhammer) attacks coming to an Android device near you!
VUSec has two presentations accepted at Black Hat Europe this year: (i) Flip Feng Shui (Rowhammer+dedup for reliable bit flip exploitation) and (ii) clang’s SafeStack bypass based on our thread spraying and allocation oracles work on information hiding.
Flip Feng Shui was presented at USENIX Security 2016 2 weeks ago. This novel attack technique combines a hardware vulnerability with a physical memory massaging primitive to mount a reliable attacks anywhere in the software stack. In particular, we demonstrate practical cross-VM attacks on OpenSSH and GnuPG using Rowhammer and KSM.
Given its practical impact, the Dutch National Cybersecurity Centre took the lead in disclosing Flip Feng Shui. They initiated disclosure to their counterparts in several other countries, as well as to application vendors, OS vendors, hypervisor vendors, and cloud providers. Prior to our talk at USENIX Security, the details of this technique were kept private.
The press has also picked up on this and there is quite some coverage. Arstechnica has a thorough piece on this work. Steve Gibson described Flip Feng Shui as “the most incredibly righteous and sublime hack… ever” in one of the Security Now! podcasts. WIRED also has the right idea: Forget Software—Now Hackers Are Exploiting Physics. Bruce Schneier posted a news item on his blog and there are podcasts by Risky Business (http://risky.biz/RB422 @ 31:40). Other international news items include: The Register, Infoworld, Slashdot, The Stack, Softpedia, Science Daily, and CORDIS.
Other local items popped up in China (Tech.qq.com, Sohu), Finland (Viestintävirasto), France (Silicon), Germany (Deutschlandfunk), Italy (Repubblica.it, HostingTalk), The Netherlands (Security.nl, Computable, Tweakers.net), Poland (Sekurak), Russia (Securitylab.ru), Spain (WWWhat’s new), Ukraine (KO).
The NCSC published a press release with fact sheet and FAQ. Prominent cloud providers posted news items, some of which disabled memory deduplication as a result.
The Dutch TV show “De Kennis van Nu” (roughly: “The knowledge of today”) had an item on Flip Feng Shui and Rowhammer, with Ben and Kaveh acting all hacker-like. (Dutch only)
Our Dedup Est Machina S&P paper (abusing memory deduplication and Rowhammer to own Microsoft Edge on Windows 10 without software vulnerabilities) won the Pwnie Award for Most Innovative Research at Black Hat USA.
Article (in Dutch) about this in De Volkskrant.
This year, VUSec had 2 papers accepted at CCS: Drammer (Deterministic Rowhammer attacks) and TypeSan (a practical type confusion detector).
Our Dedup+Rowhammer research made it to various international publications, including The Register, SearchSecurity (with mistakes), Softpedia, TechTarget, Risky Business (http://risky.biz/RB414 @ 13:37), and others.
It also featured on national Dutch radio in BNR Digitaal (from 9:10 onward), De Volkskrant, Tweakers, and a security advisory by NCSC (all Dutch).
The slides from Erik Bosman’s S&P 2016 talk are here.
Erik is presenting Dedup Est Machina, a cool new attack (abusing memory deduplication and rowhammer) on Microsoft Edge browser with all defenses up — without a single software bug. See also our demo.
This year, VUSec had 4 papers accepted at USENIX Security. (1) flip feng shui (or how to abuse memory deduplication to make Rowhammer attacks deterministic), (2) an in-depth analysis of disassembly, (3) thread spraying to attack information hiding, and (4) a paper that also “pokes holes into information hiding” and demonstrates that using ASLR/64 to hide safe regions is completely insecure.