Off by a Bit: Exploring Bit-Flip Vulnerabilities Through Program Emulation and Symbolic Execution
Authors
Olesen, Anders Trier ; Joensen, Ólavur Debes ; Bossen, Jannek Alexander Westerhof
Term
4. term
Education
Publication year
2017
Submitted on
2017-06-09
Pages
63
Abstract
Efterhånden som computerhukommelse (DRAM) bliver mindre, nærmer den sig fysiske grænser, der kan gå ud over pålideligheden. En kendt svaghed, Rowhammer, opstår, når hurtige, gentagne læsninger af én hukommelsesrække kan få bits i naboceller til at skifte værdi. Vi undersøger, hvordan sådanne utilsigtede bitflips i den underliggende afviklingsplatform kan bruges til at omgå centrale sikkerhedsmekanismer i software. Konkret demonstrerer vi praktiske angreb mod OpenSSH, su og vsftpd, der udløses af blot ét enkelt bitflip. For at afprøve disse angreb sikkert og reproducerbart har vi udviklet FLIP, en emulator til bitflips baseret på QEMU. FLIP gør det muligt at injicere kontrollerede bitflips med valgfri timing, placering og bitmaske, og kan målrette både CPU-flag og registre samt hovedhukommelsen. For at pege på lovende steder at flippe har vi også udviklet FLOP, et analyseværktøj baseret på den symbolske eksekveringsmotor KLEE. Symbolsk eksekvering udforsker mange programveje ved at behandle input som symboler i stedet for konkrete værdier; FLOP bruger dette til at finde, hvornår og hvor et injiceret bitflip kan føre et program til brugerspecificerede programpunkter, som ellers ikke er opnåelige. Vi bruger derefter FLOP's resultater til at konfigurere FLIP og vurdere effekten af de foreslåede bitflips.
As computer memory (DRAM) chips keep shrinking, they hit physical limits that can reduce reliability. One hardware weakness, known as Rowhammer, happens when repeatedly reading one memory row can cause bits to flip in nearby rows. We study how such unintended bit flips in the underlying execution platform can be used to defeat key software security protections. In particular, we show practical, single-bit-flip exploits against OpenSSH, su, and vsftpd. To test these attacks safely and repeatably, we built FLIP, a bit-flip emulator on top of QEMU. FLIP lets users inject controlled bit flips, choosing the timing, location, and bit mask, and can target CPU flags and registers as well as main memory. To find promising flip locations, we also built FLOP, an analysis tool based on the KLEE symbolic execution engine. Symbolic execution explores many program paths by treating inputs as symbols instead of concrete values; FLOP uses it to identify when and where an injected bit flip could drive a program to user-specified code points that would otherwise be unreachable. We then use FLOP's results to configure FLIP and evaluate how effective the suggested bit flips are.
[This abstract was generated with the help of AI]
Keywords
bit-flips ; bitflips ; llvm ; qemu ; symbolic execution ; static analysis ; vulnerabilities ; rowhammer ; Off by a bit ; flip ; flop ; klee
Documents