Commmunicating Through CPU Usage (and ‘Russian Sleep Machine’ research)

A lot of people rely on virtualization for security. Run something in a virtual machine, and it shouldn’t be able to mess with other virtual machines. Malicious code shouldn’t even be able to get something out of a virtual machine, if there’s no network access or the like. At least in theory.

A guy’s figured out how to transmit data out of a “virtually air-gapped” VM by encoding a square wave onto its CPU usage. The “receiving” VM (presumably one with Internet access that’s also been compromised) then looks for that data-bearing square wave in the graph of how much CPU it can use.

Presumably the Internet-facing VM can then reply with commands via the same route.

Best defense here is physical instead of virtual separation. The attack might still work given two servers in close proximity if the recipient has a software-readable temperature sensor, but the bit rate would go down considerably…

Russian Sleep Machine: In the course of trying to find the “8 hours of sleep in 30 minutes” wonder, I stumbled upon a patent (US3773049) by some Russian researchers that’s extremely interesting.

It produces a 0.15 sec pulse with an 0.5-1 Hz repetition rate —
simultaneously blasting the ‘patient’ with heat, light, white noise, and VHF (!) radiation.

Like my little ~0.8hz incandescent-bulbs-and-555 gadget, it produces sleep. But whereas the sine wave in my case seems to do mostly just that (maybe making you feel a bit more ready to take on the world), their device seems to do much more. And be less nice…

Much of the emphasis seems to have been on producing a device which works regardless of the patient’s “attitude towards the treatment proceure.” That it was used for treating ‘delusion’ or ‘reactive states’ suggests why.

Adding heat, sound, and VHF probably plays a big part in the difference. Still, I suspect the harmonics from their 15% duty cycle square wave are key to the ‘less nice’ effects, and I’ll be staying away from square waves…!

(That would partly explain why I obtained such unfavorable results with square-wave stiumulation (audio + light) compared with the sine-wave-ish 555 blinkenlight.)

Also, who knew VHF waves could affect the nervous system? Freaky.

http://www.idontplaydarts.com/2012/08/data-exfiltration-through-the-vmware-hypervisor/

“Its possible for two Virtual Machines with no network access or shared file system to communicate as long as they run under the same Hypervisor. This post will show you how this can be achieved by sending a square wave across the VMware CPU scheduler. […]

When you oversubscribe a Hypervisor the machines within it end up sharing resources. The result of this is that when a VM runs a CPU intensive task it runs until another VM also requests the same resources, when this happens clock cycles are stolen from one VM and given to the other. The consequence of this is that one virtual machine can monitor how busy the Hypervisor is by observing the shift in number of calculations it can perform in a given time frame. It is by using this technique (a Timing Channel Attack) that two VM’s can communicate.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: