zlacker

>>1317+(OP)
I like this. Upshot - electrostatic bit flip on memory read or write, which with solder can deterministically get a 'safe' pointer mutated into your own evil pointer.

Generally the historical perspective on physical access was: "once they have it, game over." TPM and trusted execution environments have shifted this security perspective to "we can trust certain operations inside the enclave even if the user has physical access."

His next steps are most interesting to me -- can you get something (semi-) reliable without soldering stuff? My guess is it's going to be a lot harder. Lots of thought already goes into dealing with electrical interference. On the other hand, maybe? if you flip one random bit of a 64 bit read every time you click your lighter, and your exploit can work with one of say 4 bit flips, then you don't need that many tries on average. At any rate, round 2 of experimentation should be interesting.

>>vessen+64
> if you flip one random bit of a 64 bit read every time you click your lighter

Without the antenna it would be hard to limit it to a single bit getting flipped. At least that’s what I suspect.

>>onioni+c7
On the flip-side (heh) flipping multiple bits at once should make it possible to bypass ECC

>>Retr0i+v7
You'd likely take an exception for a multi-bit error and the handler would likely just retry the read. Single-bit errors are often just corrected on the fly by ECC logic as you mention.

>>Lance_+JI
If you can induce enough correct errors (yes that is contradicting), the ECC won’t be able to detect the error because the modified data is correct again. The ECC schemes I’ve seen used can correct 1 bit and detect 2 bit error, so 3 flips at the right position would be enough to get new data that would be valid again.