Deduplication Rowhammer Windows exploitation

There’s a new research paper on using Deduplication and Rowhammer against Windows. Abstract:

Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 8.1 and Windows 10 operating systems. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system. In this paper, we demonstrate that the deduplication side channel is much more powerful than previously assumed, potentially providing an attacker with a weird machine to read arbitrary data in the system. We first show that an attacker controlling the alignment and reuse of data in memory is able to perform byte-by-byte disclosure of sensitive data (such as randomized 64 bit pointers). Next, even without control over data alignment or reuse, we show that an attacker can still disclose high-entropy randomized pointers using a birthday attack. To show these primitives are practical, we present an end-to-end JavaScript-based attack against the new Microsoft Edge browser, in absence of software bugs and with all defenses turned on. Our attack combines our deduplication-based primitives with a reliable Rowhammer exploit to gain arbitrary memory read and write access in the browser. We conclude by extending our JavaScript-based attack to cross-process system-wide exploitation (using the popular nginx web server as an example) and discussing mitigation strategies.

Click to access 0824a987.pdf

Click to access dedup-est-machina_sp16.pdf

AMI’s StorTrends granted 3 new flash storage patents

SPOILER ALERT: This post discusses patents. If you’re an employee at a company, ask your manager if you’re able to read this sort of information…..

Monday AMI announced that StorTrends(R), their data storage division, has been granted three U.S. Patents related to flash storage. Excerpting their press release:

AMI was granted U.S. Patent No. 8,954,339 on Data Deduplication for Information Storage Systems, which was filed on April 18, 2012. This awarded patent covers the means to have deduplication run at optimal and efficient space-saving levels. Specifically, it optimizes the amount of system RAM space used in the system to reduce (or dedupe) terabytes worth of data without affecting performance. In terms of customer benefit, this greatly reduces the amount of SSD capacity that a company is required to purchase within the SAN while also delivering the lowest latency in the industry to significantly increase value and response times within an IT environment.

AMI was granted the second patent — U.S. Patent No. 8,812,811 on Data Migration between Multiple Tiers in a Storage System — which was filed on August 10, 2012. This awarded patent covers the means that StorTrends utilizes to efficiently analyze blocks of data and move the individual blocks among different tiers of storage. Customers lower their costs significantly from StorTrends taking the highly accessed blocks of data in the environment and putting only those blocks into the expensive drive SSD tiers, while the less frequently accessed blocks occupy only the lower, less expensive tier of the storage array.

AMI was granted the third patent—Patent No. 8,711,851 on Multi-Protocol Data Transfers — which was filed on July 18, 2008. This patent covers the means that StorTrends uses to maximize the reliability of transmission control protocol and the performance of user datagram protocol to ensure that StorTrends’ replication is the fastest in the industry. This decreases replication management and increases the possible recovery point objective (RPO) for a customer by giving more available bandwidth for the blocks that need to go to their disaster recovery (DR) location. StorTrends also incorporates periodicity, which allows the customer to set the priority bandwidth for the replication of the data and avoid bogging down the network during peak business hours. The Wide-Area Data Services (WDS) technology suite includes data deduplication, compression, encryption, and WAN optimization. This technology ensures that the primary site stays in-sync with the secondary site, allowing for increased RPO and recovery time objective.

Read the full press release here: