Archive for April 1, 2015

Wednesday, April 1, 2015

Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Mark Seaborn (via Collin Allen):

“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

[…]

History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don't change unless the locations are written to.

The public discussion of software flaws and their exploitation has greatly expanded our industry’s understanding of computer security in past decades, and responsible software vendors advise users when their software is vulnerable and provide updates. Though the industry is less accustomed to hardware bugs than to software bugs, we would like to encourage hardware vendors to take the same approach: thoroughly analyse the security impact of “reliability” issues, provide explanations of impact, offer mitigation strategies and — when possible — supply firmware or BIOS updates.

Printing Objective-C Invocations in LLDB

Ari Grant:

A while ago Facebook open-sourced Chisel, a collection of commands and functions to assist in debugging iOS apps in LLDB.

[…]

There is one command that I find particularly fun and interesting yet haven’t had the chance to write about, until this post.

The command is pinvocation (for print invocation) which is most useful for debugging Objective-C methods in Apple’s code (or anything where you don’t have access to the source and thus symbols). pinvocation finds the values for self and _cmd, packages them up into an NSInvocation and then prints it all out for you, including the arguments.

It sounds like a wonderful idea, but I tried it with several applications and was not able to get it to work. I kept getting errors like:

error: error: 0 errors parsing expression
error: The expression could not be prepared to run in the target

Currently, only 32-bit x86 (Mac and iOS simulator) is supported.

Store Within a Store

Ouriel Ohayon:

Messenger “App Store” is the 1st major exception to App store rule 2.25 (i.e. do not promote apps that are not yours)

Why Overload Operators?

Marcel Weiher:

There are two candidates for what the difference might be: the fact that the operation is now written in infix notation and that it’s using special characters.

[…]

To my eyes at least, the binary-message version is no improvement over the keyword message, in fact it seems somewhat worse to me. So the attractiveness of infix notation appears to be a strong candidate for why operator overloading is desirable. Of course, having to use operator overloading to get infix notation is problematic, because special characters generally do not convey the meaning of the operation nearly as well as names, conventional arithmetic aside.

[…]

I’d say that overloaded operators are particularly attractive (to hacker mentalities, but that’s probably most of us) in languages where this boundary between user-defined and built-in stuff exists, and therefore those overloaded operators let you cross that boundary and do things normally reserved for language implementors.

Amazon Cloud Drive

Kirby Turner:

Amazon Cloud Drive is the solution I’ve been looking for to archive my old data to the cloud. I’ll continue using external hard drives, Dropbox, Backblaze and such for backups, but my days with SmugMugs might be numbered. Still, I’m excited to finally have an affordable cloud storage solution for my old data.

Amazon:

Unlimited photo storage, plus 5 GB for videos and files for just $11.99 per year.

[…]

Securely store all of your photos, videos, files and documents for just $59.99 per year.