Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Attacking a co-hosted VM: A hacker, a hammer and two memory modules (stormshield.com)
92 points by Aissen on Oct 20, 2017 | hide | past | favorite | 29 comments


VMware has been disabling their inter-VM memory deduplication (TPS) since 6.0 to avoid exactly these kinds of attacks. You can of course re-enable it, if you want, and I've seen situations where its value far outpaced the potential risk.

It also looks like ECC greatly reduces the potential for this to be exploited.


Doesn't this enable ksm, instead of disabling it like the article suggests?

  echo 1 > /sys/kernel/mm/ksm/run


I think you're right. From the documentation [1]:

  set 0 to stop ksmd from running but keep merged pages,
  set 1 to run ksmd e.g. "echo 1 > /sys/kernel/mm/ksm/run",
  set 2 to stop ksmd and unmerge all pages currently merged,
      but leave mergeable areas registered for next run
  Default: 0 (must be changed to 1 to activate KSM,
             except if CONFIG_SYSFS is disabled)
[1] https://www.kernel.org/doc/Documentation/vm/ksm.txt


Is ECC memory enough to counter this?


Similarly, is doubling the DRAM refresh rate still sufficient?


Wouldn't the VM software itself using ASLR and running the VM in jails, such as firejail for Linux, reduce the risks?


I hate this scroll jacking nonsense so much


We hate it too! Was not easy to find the right option in this wordpress non-sense but it should be gone for good.


Agreed. Also hijacked two-finger-swipe to go back.


I mostly browse in Safari Reader mode. No highjacking, popup, dickbar, etc. Looks and reads a lot better too.


As soon as grey-on-white shows up, I tap the reader mode button. Firefox, Safari, Chrome (via Just Read).

If that doesn't take care of it, they can't have wanted me to read it.


I hit the "DT" icon I put next to my address bar. Doesn't work on all elements but if they're using <p> properly it'll make the text nice and dark

https://chrome.google.com/webstore/detail/darken-text/kmonkh...

Definitely going to give that Just Read extension a go


Disable javascript, the annoying bar still remains but at least you can read it.


With noscript you can selectively disable and enable javascript for different domains.


And the dickbar too.


TL;DR - Host on a VM, get hacked sooner or later.


That's not what the article says. The article says that with a specific attack, one can change memory bits in running applications to which one should not have access. This application could be a VM, or any other type of application.


I think the point of GP is rather that VPS shared hosting is ubiquitous, i.e. "host on a shared machine, get hacked sooner or later".


I don't think that is a valid conclusion.

This is a pretty sophisticated attack requiring a lot of stuff to fall into place (such as being provisioned on the same machine as the target), and even though it is technically quite impressive I doubt it is a frequent enough occurrence that you could conclude that if you host on a shared machine you're going to get hacked sooner or later.

The chances of being hacked through some simpler and more direct vector are a lot larger.


You're assuming targeted hacking. I'm not - lots of people hunt for machines to add to their botnets.


Yes, and even in that case the best approach would be to pluck the low hanging fruit, of which there is plenty.

Even botnet operators are aiming for the best ROI they can get.


Right, it's probably TLAs that will use this most heavily. But they typically have so many targets that this will be fully automated. Gotta get that network access, bro.


Please don't? If you have a substantive point to make, make it thoughtfully; if you don't, please don't comment until you do.


All of this stuff coming to light and all while organisations are moving sensitive data into the cloud. Ouch.


On-premise, with or without VMs, does not safe you from rowhammer, however. That's just another use case, and not really surprising. Since you can modify RAM, there aren't borders really.


True, but at least in the general case you control your adjacent VMs.


Exactly, its easy to get a VM on any of the major platforms and poke around to see what might be going on in the same host as you.


At least one of the big hosters even lets you have VMs for free for a couple of days (you get your money back if you cancel). That's more than enough time for an automated process to check out tons of VMs (to add to your botnet) for free.


the timing isn't a coincidence. cloud infrastructure is becoming a high-value target for security researchers and cybercriminals precisely because organizations are moving sensitive data into the cloud.

to be clear: i don't mean to lump security researchers and cybercriminals into a common group. it just so happens that they both have motivating interests in this industry shift.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: