WHAT IS ROWHAMMER BUG
DDR memory is arranged in an array of rows and columns, which are assigned to various services, applications and OS resources in large blocks. In order to prevent each application from accessing the memory of other application, they are kept in a "sandbox" protection layer.
However, Sandbox protection can be bypassed using Bit flipping technique in which a malicious application needs to repeatedly access adjacent rows of memory in a tiny fraction of a second.
As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.
“With enough accesses, this can change a cell’s value from 1 to 0 or vice versa. In other words, the selected zero area will be transferred to the victims, or vice versa.” researchers explained.
The Bit flipping technique was first presented in an experimental study paper published by Carnegie Mellon University, entitled, "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors."
Bit flipping technique shouldn’t be confused with Buffer overflow or use-after-free memory corruption techniques where an attacker funnels malicious shellcode into protected regions of victim’s computer.
TWO WORKING EXPLOITS DEMONSTRATE THE FLAW
As we know, DRAM manufacturing scales down chip features to smaller physical dimensions. Latest Technology demands more memory capacity onto a chip, so it has become harder to prevent DRAM cells from interacting electrically with each other.
The Project Zero team has folded such bit flipping into an actual attack by demonstrating two proof-of-concept exploits that successfully take over control of many x86 computers running Linux and believes the same could be done with other operating systems as well.
- First, Page table entries (PTEs) based exploit uses rowhammer induced bit flips to achieve kernel privileges on x86-64 Linux and hence, gain read-write access to entire of physical memory.
- Second exploit demonstrates the exploitation of same vulnerability by escaping from the Native Client sandbox.
Cyber Security experts also provided a way to mitigate kernel privilege escalation attack. Researchers changed Native Client to disallow the x86 CLFLUSH instruction that’s required to make the first exploit works.
Whereas, preventing the Row Hammer exploit with the second proof-of-concept is a more difficult task to achieve on existing machines.
With the help of above exploits, the Project Zero team conducted tests
on eight models of x86 notebook computers, built between 2010 and 2014, using five different vendors of DDR3 DRAM and five different CPU families. A large subset of these machines i.e. 15 out of 29 were found to be vulnerable.
The above attack doesn't work against the latest DDR4 silicon or DIMMs that contain ECC (error correcting code) capabilities.
Project Zero team is asking DRAM manufacturers, CPU makers, and BIOS creators to release details about the steps they've taken to mitigate rowhammer-like security issues on their products.