On Fri, Sep 02, 2016 at 10:56:10AM -0400, Jerry Leichter wrote: > > Why bother with patching public keys, making them amenable to > > factorization, if you can patch executable code instead? > > > > If you can target executable code (and I see why not, it's all the > > same to KSM), it is very clear that there cannot be a software-only > > defense.... > The technique cannot be aimed exactly: You can flip some unpredictable, > uncontrollable subset of the bits in a word. (The vulnerability of > particular bits is dependent on physical variations in the memory cells.) > ... > Attacks against the executable code are certainly the worst case, and you > might be able to find security-sensitive but very rarely executed code to > attack. But this is likely much harder to pull off than the attack outlined > here. >
Flipping random bits in a word at chosen location is very powerful primitive. I am taking bets that it is moderately easy to exploit via many vectors. Flipping random bits of zero word make it nonzero. In a boolean context, this flips False and True, screwing the logic. eg in: if(is_root || is_authorized) give_em_power(); else drop_em();
