• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Pratap Ravindran

A US student researcher has demonstrated security holes in Java and .Net virtual machines which could be used to steal data from smart cards.

YOU can run but you can't hide.

Sudhakar Govindavajhala, a computer science graduate student researcher at Princeton University, has demonstrated security holes in Java and .Net virtual machines which could be used to steal data from smart cards.

In a paper presented at the recent US Institute of Electrical and Electronic Engineers (IEEE) symposium on security and privacy, he has detailed how hackers can shine a light on smart cards that use Java, flip a bit ... and get access to the card's data!

It appears that this nifty technique is based on the ability of energy to `flip bits' in memory. It's been known for some time now that cosmic rays can occasionally cause a random bit in memory to change value from 0 to 1 or from 1 to 0 — but hackers are not exactly patient people who are quite happy to sit around, waiting for the next burst of cosmic rays to give them access to data. Knowing this, Govindavajhala used a lamp to heat up the chips inside a computer and cause one or more bits of memory to flip, thereby invalidating one of the principles that the security model for virtual machines rests on: namely that computers execute instruction sets.

That's the bad news. The good news is that the technique doesn't work with virtual machines running on servers and PCs because it requires hard access.

Virtual machines are software programmes that work like a virtual computer within the host computer's memory. These programmes are used to allow software to run on multiple platforms. Thus, virtual machines running on Windows, Linux or Mac operating systems can execute Java applets.

In the current context, a critical feature of virtual machines is their ability to hold the applets in a software `sandbox,' thereby ensuring that they don't mess up the data on a computer.

Govindavajhala has, in effect, broken the sandbox by adding his own code into memory and then filling the remaining free memory with the address of the new code.

He has apparently discovered that, if he succeeds in filling about 60 per cent of memory with the addresses, a random bit flip triggers his "attack code" to run for over 70 per cent of the time. In other instances, it crashes a key programme on the target computer.

This hole can be used to steal data from smart cards as also various kinds of hand-held devices which are easier to get hold of than a PC or a server.

Govindavajhala's findings are of concern to commonly-used computing systems, including Microsoft's next-generation secure computing base, formerly known as Palladium. While Govindavajhala hasn't studied the impact of his error-inducing hack on such systems, he has been quoted by the media as saying that as processors and memory get faster, the energy needed to induce bit flips becomes smaller...

pratapravindran@hotmail.com

Article E-Mail :: Comment :: Syndication

Stories in this Section
Joining the pool

Copyright © 2003, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line