Rowhammer – DDR3 Exploit – What You Need To Know

The New Acunetix V12 Engine


So the big news this week was the release of details of a very clever hardware attack posted by Google’s Project Zero security initiative called Rowhammer. The impressive part is this is a hardware/manufacturing bug that has elevated to a software based attack.

Rowhammer - DDR3 Exploit - What You Need To Know

In simple terms Rowhammer is an attack that exploits physical weaknesses in certain types of DDR memory chips (DDR3) to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. It writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges (privilege escalation).

You can read the Google post here: Exploiting the DRAM rowhammer bug to gain kernel privileges

“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Definitely one of the more interesting attacks vectors that have popped up in recent history, the last one as interesting/impressive as this was probably the researchers cracking 4096-bit RSA Encryption with a microphone.

The attack is based on work by scientists from 2014 that proved “bit flipping” could take place, you can find the related academic paper here: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors [PDF]

Memory isolation is a key property of a reliable and secure computing system — an access to one memory address should not have unintended side effects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses.


The research unveiled this week shows how the technique can be turned into an actual attack.

If you’re using ECC memory it will protect you to a certain degree (as you should be if you’re running servers), but won’t make you immune as it won’t protect you against multiple bit flips at once, given enough tries a malicious attacker could pull this off.

If you’re using DDR4 however, you should be immune to this.

The problem with this flaw from a security perspective, is we can’t patch it..it’s a hardware issue. And well, as anyone who has worked in datacenters or server grade computing knows – those DIMMs are not going to get replaced any time soon.

You can find the Rowhammer test on Github here: https://github.com/google/rowhammer-test

“Rowhammer” is a problem with recent DRAM modules in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. This repo contains a program for testing for the rowhammer problem which runs as a normal userland process.

Does this affect the average man on the street? No. Do we as security professionally and people who write code have to consider this, yes we do.

It’s quite an academic/theoretical attack – but also yields quite consistent results.

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that’s easier to corrupt.

From: Ouch! Google crocks capacitors and deviates DRAM to root Linux

Posted in: Exploits/Vulnerabilities, Hardware Hacking

,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


2 Responses to Rowhammer – DDR3 Exploit – What You Need To Know

  1. dyngnosis March 12, 2015 at 1:36 am #

    This is a pretty good summary but your opening paragraph suggests only linux is vulnerable. While the researchers used linux as a test bed it should be noted that windows apis are available to generate the same (or similar) DRAM thrashing that would result in bit flipping.

    • Darknet March 12, 2015 at 3:52 pm #

      Theoretically yah as Windows also has a page file (Assuming you have it turned on), but that hasn’t been proved. Only Linux is confirmed, so not to say only Linux is vulnerable – but the current PoC is for Linux.