We present an experimental study showing that soft
memory errors can lead to serious security vulnerabilities
in Java and .NET virtual machines, or in any system that
relies on type-checking of untrusted programs as a protection
mechanism. Our attack works by sending to the JVM
a Java program that is designed so that almost any memory
error in its address space will allow it to take control
of the JVM. All conventional Java and .NET virtual machines
are vulnerable to this attack. The technique of the
attack is broadly applicable against other language-based
security schemes such as proof-carrying code.
We measured the attack on two commercial Java Virtual
Machines: Sun’s and IBM’s. We show that a singlebit
error in the Java program’s data space can be exploited
to execute arbitrary code with a probability of
about 70%, and multiple-bit errors with a lower probability.
Our attack is particularly relevant against smart cards
or tamper-resistant computers, where the user has physical
access (to the outside of the computer) and can use
various means to induce faults; we have successfully used
heat. Fortunately, there are some straightforward defenses
against this attack.
