Author here, will gladly answer any questions people may have.
Have you ever played in the lottery (or played more) since you’ve had so much access with bitsquatting?
Nope, but someone wins every time.
Did you find any pattern in which particular bit in an octet was likely to become corrupt?
I didn’t register enough different variations to answer that with confidence. It would be a good experiment though!
This has incredible implications. Looks like only 30 registrations (so, not looking for just any bit flip, but 30 specific bit flips) led to wild success here. It wouldn’t be terribly hard to exploit this more determinedly for other high value sites.
It might also not be too hard to try and discover if anyone else is already trying.
Since my original talks at Blackhat/DEFCON 2011 several people have followed up with their own bitsquatting research (see: http://blog.dinaburg.org/2013/09/bitsquatting-at-defcon21-and-more.html). During my q & a at DEFCON at least one group of people wanted to use bitsquatting to serve up ads.
Yet another reason for HSTS I guess
As other people pointed out, HSTS wouldn’t really help for most cases, and neither would DNSSEC. Most of the errors are already in the HTML thats served to the browser, probably corrupted somewhere on the server.
A lot of people found this hard to believe since it required some kind of wide-spread bug that caused bit flips in memory, but now we found one: https://en.wikipedia.org/wiki/Row_hammer, although I have no evidence the two are related.
Not sure I follow - if the issue is that corruption occurs in memory, the request for micro3oft.com instead of microsoft.com is completely legitimate from the perspective of the requesting system; it never requested microsoft.com and got a different site, it always was asking for micro3oft.com.
HSTS wouldn’t address this in any meaningful way, would it?
Whoops, you’re right, if the bit flip happens before cert validation then sure, it could be a valid HSTS request to a site with a valid cert for micro3oft.com. I guess I was thinking about name resolution bit flips only.
Dang, this is pernicious.