Using Memory Errors to Attack a Virtual Machine
Sudhakar Govindavajhala and Andrew Appel
We present an experimental study showing that soft memory errors can lead
to serious security vulnerabilities in Java and .NET virtual machines, or
in any system that relies on type-checking of untrusted programs as a
protection mechanism. Our attack works by sending to the JVM for
execution a Java program that is designed so that almost any memory error
in its address space will allow it to take control of the JVM. All
conventional Java and .NET virtual machines are vulnerable to this attack.
The technique of the attack is broadly applicable against other
language-based security schemes such as proof-carrying code.
We measured the attack on two commercial Java Virtual Machines: Sun's and
IBM's. We show that a single-bit error in the Java program's data space
can be exploited to execute arbitrary code with a probability of about
70%, and multiple-bit errors with a lower probability.
Our attack is particularly relevant against smart cards or
tamper-resistant computers, where the user has physical access (to the
outside of the computer) and can use various means to induce faults; we
have successfully used heat. Fortunately, there are some straightforward
defenses against this attack.