DRAMA: New attack allows you to secretly steal data from isolated virtual machines

At the Black Hat Europe conference held in London from November 1 to 4, Austrian researchers presented a new attack using the features of the implementation of CPU interaction with DRAM. The method allows attackers using JavaScript to steal sensitive information directly from virtual machines. The attack was called DRAMA.

How it works

Researchers Anders Fogh and Michael Schwarz demonstrated several cross-processor attacks during their presentation. The first part of their research was presented at the USENIX Security Symposium event in August of this year.

')

On Black Hat, the authors showed how attackers using JavaScript can intercept small “portions” of sensitive data, such as passwords or private keys, from virtual machines that are not even connected to the network.



There are two scenarios for the development of an attack:

• In the first case, the two processes — in the virtual machine and in the main system — can communicate with each other.
• In the second, one process can monitor the memory addresses that another uses.

Consider the first scenario. The purpose of the attack in this case is to transfer data from a virtual machine (VM) that does not have access to the network to the main system (OS), from which the attacker already downloads it over the network.



This is possible due to the peculiarities of the DRAM memory device - in particular the fact that the sending process (residing in a VM) and the data receiving process (in an OS) use memory addresses located in one memory bank (DRAM bank). The mechanism works in such a way that in the event that the process has recently been working with memory from a certain bank, then repeated calls will be carried out quickly.



If the sender worked with the memory between two recipients of the recipient, the second call will take longer - it will be interpreted as bit 1. In the event that the sender did not work with the memory between the two hits, this fact will be denoted as 0.



The main task here is to obtain addresses in the general memory bank (or several banks to speed up the process) and correctly determine the time points for the interaction of the two processes. To solve it, the authors used the features of many modern systems - for example, they often use large memory pages (> 2 MB) and a certain frequency of address polling (on the recipient side), which exceeds the recording frequency (on the sender's side) several times. Knowing this, the researchers were able to build assumptions about the behavior of the target system.



In the second scenario, a method similar to attacks using features of the processor's cache memory is used to attack. The essence of the method lies in the fact that knowing what addresses the process used, you can observe the data entered into it - for example, the site address that the user entered in the address bar of the browser.

There are no easy ways to protect

The researchers were able to develop an attack that does not require the exploitation of any vulnerabilities or the launch of malicious software on the host system. They simply open a hidden channel between the virtual machine and the main system.



At the same time, Fog and Schwartz admit that the attack may not always be carried out correctly - in some cases the memory used for filtering data may be occupied by other applications, which will not allow transferring information from the virtual machine, but the likelihood of such an outcome is not very high.



The researchers focused on testing their attack method on the Intel x86-64 platform, but they found out that other architectures — for example, ARM processors in smartphones — are also vulnerable



Since the developed attack uses the features of the DRAM mechanism, simple ways to counter it do not exist, the researchers are sure. However, they do not predict a large number of such attacks in real systems in the coming years. But the very likelihood of such attacks shows that developers need to increase the security of not only software, but also the hardware itself.