"New Hacking Tool Sees the Light"
CNet (05/13/03); Lemos, Robert

Princeton University graduate student Sudhakar Govindavajhala presented a paper at the Institute of 
Electrical and Electronic Engineers (IEEE) Symposium on Security and Privacy on Tuesday, detailing a 
method he devised that exploits security flaws in virtual machines running on .Net and Java. Virtual 
machines enable software to operate on multiple platforms, while preventing applets from interfering with 
the computer's data by containing them in a software "sandbox"; Govindavajhala says his method allows that 
sandbox to be breached. Govindavajhala shined a light on a computer to heat up the chips and cause one or 
more memory bits to flip. His next step was to hack into the system by embedding his own code into memory 
and slipping the new code's address into the remaining free memory. This led to Govindavajhala's discovery 
that an arbitrary bit flip would allow the attack code to run over 70 percent of the time if he crammed 60 
percent of memory with the addresses. Hackers could use this technique to circumvent smart card security, 
and Govindavajhala thinks that the increasing speed of computer memory and processors could boost the 
effectiveness of the method by reducing the amount of energy required to flip bits. "Here is a case where 
people thought they had thought of everything, but they hadn't," declared Burton Group analyst Fred Cohen, 
who does not think sandboxing untrustworthy applications will safeguard against such an attack. "If you 
let people run programs in your computer, then there is a chance they can do what they want."
http://news.com.com/2100-1009_3-1001406.html