Summary:

In this paper the authors show how arbitrary single-bit errors induced by
hardware faults, which are beyond the control of software mechanisms,
invalidate the protection provided by type safety. Link-time type-checking
is used by Java programs to guarantee that untrusted programs cannot read
or write to private data of trusted programs. However, this leaves the JVM
vulnerable to a time-of-check to time-of-use attack. The attack works by
manipulating the heap and filling it with a large number of objects of
type (say) B, that contain pointers to a single object of a different type
(say) A. When a bit error occurs, the pointer in B will point to another
object of type B, though it type-checked as A. This gives the attacker two
pointers of different types. If one of them is type integrer, it can be
made to point to any arbitrary location (pointers are integer types) in
memory and used to write arbitrary data into the virtual machine. The
authors analyze the probability of success of this attack, and show how it
can be used effectively with high probability (depending on how much
attack date the attacker is able to write). The authors also show how this
attack can be easily prevented, but make a point that hardware faults and
external factors may have unexpected consequences on software security
guarantees.

Voting:

Trash it: 0
Marginal tend to reject: 0
Tend to reject: 1
Tend to Accept: 3
Accept: 4
Outstanding: 0