VU Research wins Pwnie Award for Most Innovative Research

August 4, 2016

Last night, at the Black Hat Conference in Las Vegas, VU researchers Erik Bosman, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos won the prestigious Pwnie for Most Innovative Research for their work: "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector". 

The Pwnie Awards, sometimes referred to as the Oscars for hackers, are named after the word "pwn", which is hacker slang for compromising and controlling some system. 

The Pwnie for Most Innovative Research was awarded for a new attack technique that allows attackers to take over state-of-the-art software (such as the new Edge browser on Microsoft Windows) with all defenses up, even if the software has no bugs (!). Moreover, they can do this from JavaScript in the browser. JavaScript is the code that browsers automatically execute when they open a website. 

Brief explanation of the attack: 

The attack has two components. First, it makes use of the way modern systems such as Windows handle memory, which is very efficient, but also allows attackers to leak secret information (such as passwords and other secrets). 

Specifically, to save memory usage, Windows periodically scans all "pages" of memory to see if there are duplicates (pages that contain exactly the same data), and if so, make sure that is stored in physical memory only once. So, if two programs have the exact same memory page, it will create a single copy that both programs use: they just refer to the same page in memory. Doing so saves memory, but unfortunately, the attackers' JavaScript code can detect that this has happened and use it to leak information. For instance, say the attackers want to know if the user ever looks at ISIS propaganda pictures. To check, they could store some of these pictures in a memory and if they detect that that any of these memory page are combined ("deduplicated"), they know that some other program or another browser tab also has that picture in memory. The VU research shows how go from such coarse-grained information leaks to more fine-grained ones. 

Second, it harnesses a bizarre hardware glitch that exists in many memory chips in use today. Because bits of data are packed so closely together in modern memory chips, the reliability of memory cells saving the bits has started to suffer. By reading from memory locations fast enough, some charge will leak from one memory cell to another, resulting the value of some of the stored bits to "flip". Of course, this is very rare and normal software should never experience this, but the VU researchers show how to do this in a controlled way.

Essentially, the attack uses the information leak to find the secret location of code that should never ever be exposed from JavaScript and then uses the hardware glitch with this code pointer for compromising the browser. 

Implications: 

The research results change our view on software security. We used to think that information systems were insecure because the software was so buggy. Now we see that even with *perfect software*, attackers can still pwn your system. The work forced Microsoft to rethink the memory management design of the latest version of the Windows operating system.

http://www.vu.nl/en/news-agenda/news/2016/jul-sep/pwnie-award-for-most-innovative-research-on-hacking.aspx