mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-10 22:21:11 +08:00
wcnnbdk1 translated 20161024 Physical RAM attack can root Android and possibly other devices.md
This commit is contained in:
Jinwen Zhang
parent
3ef99e109e
commit
3f6b1a5190
@ -1,73 +0,0 @@
|
||||
wcnnbdk1 translating
|
||||
Physical RAM attack can root Android and possibly other devices
|
||||
===
|
||||
|
||||
>Attackers can reliably flip bits in physical memory cells in order to compromise mobile devices and computers
|
||||
|
||||
|
||||
|
||||
|
||||
Researchers have devised a new way to compromise Android devices without exploiting any software vulnerabilities and instead taking advantage of a physical design weakness in RAM chips. The attack technique could also affect other ARM and x86-based devices and computers.
|
||||
|
||||
The attack stems from the push over the past decade to pack more DRAM (dynamic random-access memory) capacity onto increasingly smaller chips, which can lead to memory cells on adjacent rows leaking electric charges to one another under certain conditions.
|
||||
|
||||
For example, repeated and rapid accessing of physical memory locations -- an action now dubbed "hammering" -- can cause the bit values from adjacent locations to flip from 0 to 1 or the other way around.
|
||||
|
||||
While such electrical interference has been known for a while and has been studied by vendors from a reliability standpoint -- because memory corruption can lead to system crashes -- researchers have shown that it can also have serious security implications when triggered in a controlled manner.
|
||||
|
||||
|
||||
In March 2015, researchers from Google's Project Zero [presented two privilege escalation exploits][7] based on this memory "row hammer" effect on the x86-64 CPU architecture. One of the exploits allowed code to escape the Google Chrome sandbox and be executed directly on the OS and the other gained kernel-level privileges on a Linux machine.
|
||||
|
||||
Since then, other researchers have further investigated the problem and have shown that it could be [exploited from websites through JavaScript][6] or [could affect virtualized servers][5] running in cloud environments. However, there have been doubts about whether the technique would also work on the significantly different ARM architecture used in smartphones and other mobile devices.
|
||||
|
||||
But now, a team of researchers from the VUSec Group at Vrije Universiteit Amsterdam in the Netherlands, the Graz University of Technology in Austria, and the University of California in Santa Barbara has demonstrated not only are Rowhammer attacks possible on ARM, but they're even easier to pull off than on x86.
|
||||
|
||||
The researchers dubbed their new attack Drammer, which stands for deterministic Rowhammer, and plan to present it Wednesday at the 23rd ACM Conference on Computer and Communications Security in Vienna. The attack builds upon previous Rowhammer techniques devised and demonstrated in the past.
|
||||
|
||||
The VUSec researchers have created a malicious Android application that doesn't require any permissions and gains root privileges when it is executed by using undetectable memory bit flipping.
|
||||
|
||||
The researchers tested 27 Android devices from different manufacturers, 21 using ARMv7 (32-bit) and six using ARMv8 (64-bit) architectures. They managed to flip bits on 17 of the ARMv7 devices and one of the ARMv8 devices, indicating they are vulnerable to the attack.
|
||||
|
||||
Furthermore, Drammer can be combined with other Android vulnerabilities such as [Stagefright][4] or [BAndroid][3] to build remote attacks that don't require users to manually download the malicious app.
|
||||
|
||||
Google is aware of this type of attack. "After researchers reported this issue to our Vulnerability Rewards Program, we worked closely with them to deeply understand it in order to better secure our users," a Google representative said in an emailed statement. "We’ve developed a mitigation which we will include in our upcoming November security bulletin.”
|
||||
|
||||
Google's mitigation complicates the attack, but it doesn't fix the underlying problem, according to the VUSec researchers.
|
||||
|
||||
In fact, fixing what is essentially a hardware issue in software is impossible. Hardware vendors are investigating the problem and may be able to fix it in future memory chips, but chips present in existing devices will likely remain vulnerable.
|
||||
|
||||
Even worse, it's hard to say which devices are affected because there are many factors that come into play and haven't yet been fully investigated, the researchers said. For example, a memory controller might behave differently when the device battery level is under a certain threshold, so a device that doesn't appear to be vulnerable under a full charge might be vulnerable when its battery is low, the researchers explained.
|
||||
|
||||
Also, there's an adage in cybersecurity: Attacks always get better, they never get worse. Rowhammer attacks have grown from theoretical to practical but probabilistic and now to practical and deterministic. This means that a device that does not appear to be affected today could be proven vulnerable to an improved Rowhammer technique tomorrow.
|
||||
|
||||
Drammer was demonstrated on Android because the researchers wanted to investigate the impact on ARM-based devices, but the underlying technique likely applies to all architectures and operating systems. The new attack is also a vast improvement over past techniques that required either luck or special features that are present only on certain platforms and easily disabled.
|
||||
|
||||
Drammer relies on DMA (direct memory access) buffers used by many hardware subsystems, including graphics, network, and sound. While Drammer is implemented using Android's ION memory allocator, APIs and methods to allocate DMA buffers are present in all operating systems, and this warning is one of the paper's major contributions.
|
||||
|
||||
"For the very first time, we show that we can do targeted, fully reliable and deterministic Rowhammer without any special feature," said Cristiano Giuffrida, one of the VUSec researchers. "The memory massaging part is not even Android specific. It will work on any Linux platform -- and we suspect also on other operating systems -- because it exploits the inherent properties of the memory management inside the OS kernel."
|
||||
|
||||
"I expect that we're going to see many other flavors of this attack on different platforms," added Herbert Bos, a professor at Vrije Universiteit Amsterdam and leader of the VUSec Systems Security research group.
|
||||
|
||||
Along with their [paper][2], the researchers have released an Android app that can test if an Android device is vulnerable to Rowhammer -- at least to the currently known techniques. The app is not yet available on Google Play but can be downloaded from the [VUSec Drammer website][1] to be installed manually. An open-source Rowhammer simulator that can help other researchers investigate this issue further is also available.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via:http://www.csoonline.com/article/3134726/security/physical-ram-attack-can-root-android-and-possibly-other-devices.html
|
||||
|
||||
作者:[Lucian Constantin][a]
|
||||
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: http://www.csoonline.com/author/Lucian-Constantin/
|
||||
[1]:https://www.vusec.net/projects/drammer/
|
||||
[2]:https://vvdveen.com/publications/drammer.pdf
|
||||
[3]:https://www.vusec.net/projects/bandroid/
|
||||
[4]:http://www.csoonline.com/article/3045836/security/new-stagefright-exploit-puts-millions-of-android-devices-at-risk.html
|
||||
[5]:http://www.infoworld.com/article/3105889/security/flip-feng-shui-attack-on-cloud-vms-exploits-hardware-weaknesses.html
|
||||
[6]:http://www.computerworld.com/article/2954582/security/researchers-develop-astonishing-webbased-attack-on-a-computers-dram.html
|
||||
[7]:http://www.computerworld.com/article/2895898/google-researchers-hack-computers-using-dram-electrical-leaks.html
|
||||
[8]:http://csoonline.com/newsletters/signup.html
|
||||
@ -0,0 +1,71 @@
|
||||
针对物理 RAM 的攻击可以取得 Android 设备的根权限,其它设备也存在这样的可能
|
||||
===
|
||||
|
||||
>攻击者确实可以在物理存储单元中实现位翻转来达到侵入(这里把 compromise 翻译成了侵入,感觉还是有点词不达意)移动设备与计算机的目的
|
||||
|
||||
|
||||
|
||||
|
||||
研究者们发现了一种新的在不利用任何软件漏洞情况下,利用 RAM 芯片物理设计上的弱点来侵入 Android 设备的方式。这种攻击技术同样可以影响到其它如 ARM 和 X86 架构的设备与计算机。
|
||||
|
||||
攻击起源于过去十多年中将更多的 DRAM(动态随机存取存储器)容量封装进越来越小的芯片中,这将导致存储单元在特定情况下电子在相邻的两行中从一边泄漏到另一边。(这里翻译的有点不太通顺,特别是这 row 的概念,只是查看了维基百科有了大致了解,结合起来看可能会更有助理解 https://en.wikipedia.org/wiki/Row_hammer)
|
||||
|
||||
例如,反复且快速的访问相同的物理储存位置 -- 一种被称为 “hammering” (这里 hammering 实在不知道该如何处理,用英文原文似乎也挺好的,在读英文内容的时候也会带来一定的便利)的行为 -- 可以导致相邻位置的位值从 0 反转成 1,或者相反。
|
||||
|
||||
虽然这样的电子干扰已经被生产商知晓并且从可靠性角度研究了一段时间了 -- 因为内存错误能够导致系统崩溃 -- 研究者展示了在可控方式的触发下它所存在的严重安全隐患。
|
||||
|
||||
在 2015 年 4 月,来自谷歌 Project Zero 项目的研究者公布了两份基于内存 “row hammer” 对于 x86-64 CPU 架构的 [提权利用][7]。其中一份利用可以使代码从谷歌的 Chrome 浏览器沙盒里逃逸并且直接在系统上执行,另一份可以在 Linux 机器上获取高级权限。(这里的 kernel-level 不太确定该如何处理,这个可以参看 https://en.wikipedia.org/wiki/Privilege_level)
|
||||
|
||||
此后,其他的研究者进行了更深入的调查并且展示了[通过网站中 JaveScript 脚本进行利用的方式][6]甚至能够影响运行在云环境下的[虚拟服务器][5]。然而,对于这项技术是否可以应用在智能手机和移动设备大量使用的 ARM 架构中还是有疑问的。
|
||||
|
||||
现在,一队成员来自荷兰阿姆斯特丹自由大学,奥地利格拉茨技术大学和加州大学圣塔芭芭拉分校的 VUSec 小组,已经证明了 Rowhammer 不仅仅可以应用在 ARM 架构上并且甚至比在 x86 架构上更容易。
|
||||
|
||||
研究者们将他们的新攻击命名为 Drammer,代表了 Rowhammer 确实存在,并且计划于周三在维也纳举办的第 23 届 ACM 计算机与通信安全大会上展示。这种攻击建立在之前就被发现与实现的 Rowhammer 技术之上。
|
||||
|
||||
VUSec 小组的研究者已经制造了一个适用于 Android 设备的恶意应用,当它被执行的时候利用不易察觉的内存位反转在不需要任何权限的情况下就可以获取设备根权限。
|
||||
|
||||
研究者们测试了来自不同制造商的 27 款 Android 设备,21 款使用 ARMv7(32-bit)指令集架构,其它 6 款使用 ARMv8(64-bit)指令集架构。他们成功的在 17 款 ARMv7 设备和 1 款 ARMv8 设备上实现了为反转,表明了这些设备是易受攻击的。
|
||||
|
||||
此外,Drammer 能够与其它的 Android 漏洞组合使用,例如 [Stagefright][4] 或者 [BAndroid][3] 来实现无需用户手动下载恶意应用的远程攻击。
|
||||
|
||||
谷歌已经注意到了这一类型的攻击。“在研究者向漏洞奖励计划(这里应该是特指谷歌的那个吧,不知道把它翻译成中文是否合适)报告了这个问题之后,我们与他们进行了密切的沟通来深入理解这个问题以便我们更好的保护用户,”一位谷歌的代表在一份邮件申明中这样说到。“我们已经开发了一个缓解方案(这里将 mitigation 翻成了缓解方案不知是否妥当,这又是一个有丰富含义的概念 https://en.wikipedia.org/wiki/Vulnerability_management)将会包含在十一月的安全更新中。”
|
||||
|
||||
VUSec 的研究者认为,谷歌的缓解方案将会使得攻击过程更为复杂,但是它不能修复潜在的问题。
|
||||
|
||||
事实上,从软件上去修复一个由硬件导致的问题是不现实的。硬件供应商正在研究相关问题并且有可能在将来的内存芯片中被修复,但是在现有设备的芯片中风险依然存在。
|
||||
|
||||
更糟的是,研究者们说,由于有许多因素会影响到攻击的成功与否并且这些因素尚未被研究透彻,因此很难去说有哪些设备会被影响到。例如,内存控制器可能会在不同的电量的情况下展现不同的行为,因此一个设备可能在满电的情况下没有风险,当它处于低电量的情况下就是有风险的。
|
||||
|
||||
同样的,在网络安全中有这样一句俗语:Attacks always get getter, they never get worse.(这里借用“道高一尺,魔高一仗。”不知是否合适)Rowhammer 攻击已经从理论变成了变成了现实,同样的他可能也会从现在的简单实现变成确确实实的存在。(这一句凭自己的理解翻的)这意味着今天某个设备是不被影响的,在明天就有可能被改进后的 Rowhammer 技术证明它是存在风险的。
|
||||
|
||||
Drammer 在 Android 上实现是因为研究者期望研究基于 ARM 设备的影响,但是潜在的技术可以被使用在所有的架构与操作系统上。新的攻击相较于之前建立在运气与特殊特性与特定平台之上并且十分容易失效的技术已经是一个巨大的进步了。
|
||||
|
||||
Drammer 依靠被大量硬件子系统所使用的 DMA(直接存储访问)缓存,其中包括了图形,网络,声音。Drammer 的实现采用了所有操作系统上都有的 Android 的 ION内存分配器,接口,与方法,这个特征(这里将 warning 翻译成了特征,纯粹是自己的理解,不知是否妥当)是文章中主要的贡献之一。
|
||||
|
||||
"破天荒的,我们成功的展示了我们可以做到,在不依赖任何特定的特性情况下完全可靠的证明了 Rowhammer,“ VUSec 小组中的其中一位研究者, Cristiano Giuffrida 这样说道。”攻击所利用的内存位置并非是 Android 独有的。攻击在任何的 Linux 平台上都能工作 -- 我们甚至怀疑其它操作系统也可以 -- 因为它利用的是操作系统内核内存管理中固有的特性。“
|
||||
|
||||
”我期待我们可以看到更多针对其它平台的攻击的变种,“阿姆斯特丹自由大学的教授兼 VUSec 系统安全研究小组的领导者,Herbert Bos 补充道。
|
||||
|
||||
在他们的[文章][2]之外,研究者们也释出了一个 Android 应用来测试 Android 设备在受到 Rowhammer 攻击时是否会有风险 -- 在当前所知的技术条件下。应用还没有传上[谷歌应用商店][Google Play],可以从 [VUSec Drammer 网站][1] 下载来手动安装。一个开源的 Rowhammer 模拟器同样能够帮助其他的研究者来更深入的研究这个问题。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via:http://www.csoonline.com/article/3134726/security/physical-ram-attack-can-root-android-and-possibly-other-devices.html
|
||||
|
||||
作者:[Lucian Constantin][a]
|
||||
|
||||
译者:[wcnnbdk1](https://github.com/wcnnbdk1)
|
||||
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: http://www.csoonline.com/author/Lucian-Constantin/
|
||||
[1]:https://www.vusec.net/projects/drammer/
|
||||
[2]:https://vvdveen.com/publications/drammer.pdf
|
||||
[3]:https://www.vusec.net/projects/bandroid/
|
||||
[4]:http://www.csoonline.com/article/3045836/security/new-stagefright-exploit-puts-millions-of-android-devices-at-risk.html
|
||||
[5]:http://www.infoworld.com/article/3105889/security/flip-feng-shui-attack-on-cloud-vms-exploits-hardware-weaknesses.html
|
||||
[6]:http://www.computerworld.com/article/2954582/security/researchers-develop-astonishing-webbased-attack-on-a-computers-dram.html
|
||||
[7]:http://www.computerworld.com/article/2895898/google-researchers-hack-computers-using-dram-electrical-leaks.html
|
||||
[8]:http://csoonline.com/newsletters/signup.html
|
||||
Loading…
Reference in New Issue
Block a user