Subscribe

Beware of 'blinded random block corruption' attacks

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 23 May 2018
Rodrigo Branco, senior principal security researcher at Intel.
Rodrigo Branco, senior principal security researcher at Intel.

Once attackers have physical control of a machine, they have all the power and can do whatever they want.

So said Rodrigo Branco, senior principal security researcher at Intel, who spoke about 'Blinded random block corruption attacks: the next level', at the ITWeb Security Summit 2018, happening this week at Vodacom World in Midrand.

A blinded random block corruption attack is an attack against systems that use encrypted memory, without any form of integrity protection.

He said attackers are always trying to find ways to steal data.

"Disk encryption will protect the data, so there's nothing much the attacker can leverage. However, there are some weak points. If the machine is turned on, and someone steals it, the data memory is not encrypted, only the hard drive."

Attackers quickly figured out ways to fight that data in-memory, using cold boot attacks, a type of side channel attack in which a hacker with physical access to a device is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the device.

Obviously, he said, technologies were invented to prevent that, and a lot of solutions came out. But none of them solved the problem.

Three types of attacker

There are three main types of attacker, Branco said.

"A passive attacker attempts to learn or make use of information from the system, but does not actually affect any system resources.

"An active static attacker goes to full memory dump, then tries to do a crypto analysis of the memory dump.

"Finally, an active dynamic attacker tries to modify data in such a way that when the data is consumed by CPU, something beneficial to the attacker happens."

Missing memory encryption

"Protecting user privacy in virtualised cloud environments is a growing concern for both users and providers. The privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest virtual machines cannot be guaranteed."

During his presentation, Branco demonstrated this via a new instantiation of

blinded random block corruption (BRBC). He also demonstrated that even non-Boolean values can be effectively targeted by attackers, forcing the elevation of privileges of a process running in a protected virtual machine.

He said, at the moment, very few systems offer memory encryption, so BRBC attacks should be kept in mind when making future business decisions.

Share