Flip Feng Shui: A new threat for the Cloud?


Yesterday researchers from the Vrije Universiteit van Amsterdan and the Katholieke Universiteit Leuven published a new vulnerability named Flip Feng Shui. This attack tries to get SSH keys from virtual servers in the Cloud by using the Row hammer vulnerability. Big words that sound scary. But are they? Is this the end of the Cloud? Time for an deep dive.

But first and foremost, our systems are safe and not vulnerable for this vulnerability. Read on to find out why we are not vulnerable.

What does the attack do?

The attack tries to get access to virtual servers running in the cloud. It does this by trying to get SSH keys. SSH keys are used by administrators and users to authenticate to a (virtual) server. There are more attacks on SSH keys, but the way this attack works, how attackers get to the key material is what makes it special.

How do they get to the keys then?

Usually attacks try to mislead the user or find a vulnerability in the software. Examples are a phising email telling the receiver something like 'Your new creditcard is ready'. All the user has to do is login to a (fake) site that resembles the bank's website. The reason you always need to keep software up to date is to patch possible vulnerabilities that might be abused.

Attacks are rarely targeted at the hardware, the physical server. But that is exactly what this attack does.

How the attack works

The attack used another vulnerability named Row hammering. Row hammering (ab)uses two things. A specific property of server memory modules and a way servers use memory of virtual servers.

Memory modules contain cells in which data is written. These cells are charged with an electric charge, but that charge weakens after a while. When an attacker writes cells next to a specific cell a lot of times it is possible to change the load of the cell and thus give a specific memory location a different value, without actually writing to that specific cell. That is the first part of the attack.

When a server is used for virtualisation an administrator can set two options for allocating memory:

  • Each virtual server gets their own unique non-shared memory
  • Each virtual server gets memory, but the hypervisor merges memory pages from different VM's with the same content

Virtual machines share a lot of information in the ram memory to be able to work. Each servers for example has a module to recognize users and a lot of servers have a webserver, which serves websites.

The result of same page memory merging (the second option) is less effective RAM usage on the hypervisor, thus the admin is able to have more VM's on that server. This is where the first part of the attack is used. By changing the contents of specific pages with the row hammer vulnerability an attacker is able to change the memory of another VM, since on the hypervisor it's a same-page merge. The VM's think they have their own RAM, but the hypervisor points them to the same RAM location, since it thinks the content is the same

Why do hosting providers then utilize this memory merging?

Simply said, cost saving. By using same page memory merging a provider can overprovision their servers. That means that they place more VM's on a server than the RAM in that server allows.

That does bring risks. When a server wants to use all its allocated RAM, to do a memory-intensive operation, the chance is that that requested memory is not available on the hypervisor. The hypervisor will then utilize the hard disks (swap) as RAM, which is significantly slower. Or, the server is simply denied access and not able to complete the operation.

A second risk is the one we are facing now, Row hammering.

What is the situation at CloudVPS?

Our virtualisation environments are set up to give a VPS their own unique, non shared memory. We do not use same page memory merging so that our customers get exactly what they pay for. We do not overprovision and specifically do not use kernel samepage memory merging (KSM)

If you have a server with us, it is not vulnerable to this vulnerability.

When a Cloud set up correctly, risks are controlable and managable. This attack is an example that shows that cutting corners doesn't work in the long term. So, we at CloudVPS don't do that.

A technical article on Row hammer can be found over at Wikipedia:  https://en.wikipedia.org/wiki/Row_hammer

A, Dutch, article on this flip feng shui attack can be found on Tweakers: https://tweakers.net/nieuws/114473/flip-feng-shui-aanval-maakt-lekken-van-ssh-sleutel-uit-vm-mogelijk.html

The Dutch National Cyber Security Centre provides both Dutch and English information and fact sheets on this attack and virtualisation in general: https://www.ncsc.nl/actueel/factsheets/factsheet-virtualiseer-met-verstand.html