As early as 2015, security researchers at Google demonstrated a successful attack by exploiting the physical weakness in certain DDR DRAM (Double Data Rate Dynamic Random Access Memory) chips. Although the attack has not yet been exploited in the wild, security researchers from different organizations have recently come up with new and upgraded versions of Rowhammer.
What is Rowhammer?
Rowhammer is a new type of cyberattack that exploits a flaw in DRAM modules that were manufactured in 2010 and later. The attack technique is initiated by rapidly writing and rewriting the memory, which, in turn, induces capacitor errors in DRAM and results in data corruption. Rowhammer could allow attackers to obtain higher kernel privileges on targeted systems.
The Google team tested the attack on 29 x86 laptops using DDR3 DRAM built between 2010 and 2014. The team successfully conducted the attacks in 15 of the 29 cases.
Drammer - Rowhammer’s successor
Almost a year later, a team of experts from the VUSec Lab at Vrije University, Amsterdam found extended exploitation of Rowhammer attack. Dubbed Drammer, the attack could allow attackers to gain root access to millions of Android smartphones using DRAM.
“Drammer is a new attack that exploits the Rowhammer hardware vulnerability on Android devices. It allows attackers to take control of your mobile device by hiding it in a malicious app that requires no permissions. Practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched. Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid” said the VUSec Lab researchers in their report.
The attack involves the use of a malicious application, which when executed, repeatedly accesses the same row of transistors on a memory chip. The interference can cause the electricity to leak from one row to another row, resulting in modification of data. An attacker can exploit this modification to execute his/her own code and hijack a targeted mobile device.
Throwhammer - the next iteration
In May 2018, security researchers from Vrije University demonstrated a new version of the Rowhammer attack called Throwhammer. The attack is devised to target a system in a LAN. The researchers used malicious packets to explain the attack process.
The researchers found that by sending bogus packets on LAN, it is possible to implement Rowhammer attack on systems that are connected to Ethernet networks - which are equipped with Remote Direct Memory Access (RDMA).
These attacks would primarily target organizations that adopt cloud infrastructure and data centers widely. The attack requires a high-speed network of at least 10 Gbps to successfully access the targeted system’s memory.
“Specifically, we managed to flip bits remotely using a commodity 10 Gbps network. We rely on the commonly-deployed RDMA technology in clouds and data centers for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers,” Vrije University researchers said. “These corruptions allow us to compromise a remote Memcached server without relying on any software bug.”
Nethammer - the evolution continues
The Nethammer attack was found a few days after the discovery of Throwhammer. It is the first truly remote Rowhammer attack that does not require an attacker-controlled line of code on a targeted system. The technique can be used by attackers to execute arbitrary code on systems that use uncached memory or flush instructions while handling network requests.
“Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device,” the researchers at the Graz University of Technology explained.
ECCploit - the newest kid on the block
The latest variant of the Rowhammer attack is ECCploit. Security experts from VUSec Lab at Vrije University explained that this attack technique could be used to bypass Erro-Correcting Code (ECC) protections. ECC memory is built in several widely used models of DDR3 chips.
During the analysis, the researchers observed that the new attack is capable of causing major consequences. For instance, this can allow an untrusted app to gain full administrative rights, evade detection by sandbox or virtual-machine hypervisor, or root out devices running the vulnerable Dual In-line Memory Module (DIMM).
Experts have demonstrated various new versions of Rowhammer attacks that can be used to target both mobile and desktop systems. However, it is quite difficult to perform attack leveraging these techniques, due to several limitations, such as the duration of time that ranges between 32 minutes to a week, finding the ECC algorithm implemented in the memory controller of the targeted system’s processor, and more.
RAMBleed - the latest variant
RAMBleed is a side-channel variant of Rowhammer attack. Tracked as CVE-2019-0174, the variant has been discovered by the team of Andrew Kwong and Daniel Genkin from the University of Michigan, Daniel Gruss from the Graz University of Technology in Austria, and Yuval Yarom from the University of Adelaide.
RAMBleed can allow an attacker to read data stored in physical memory.
"RAMBleed uses bit flips as a read side channel, and as such does not require bit flips to be persistent. Instead, the attacker merely needs to know that a bit flip occurred; the secret information leaks regardless of whether or not ECC corrects the flip," the researchers wrote.
Users can mitigate this risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled.
Publisher