Security researchers have demonstrated how attackers can use a technique called ‘rowhammer’ to exploit Dynamic random-access memory (DRAM) and gain kernel privileges.
In a post published on the Google Project Zero Blog, researchers Mark Seaborn and Thomas Dullien explain that the rowhammer technique works by repeatedly accessing memory rows in DRAM devices to flip bits in adjacent rows.
Double dynamic rate (DDR) DRAM memory is arranged in rows and columns, large blocks of which are assigned to different applications and OS resources. These blocks are kept in separate virtual spaces from one another in order to clearly delineate one application’s memory requirements from another.
In a 2014 paper, researchers with Carnegie Mellon first introduced the rohammer technique as a means of bypassing DRAM’s memory sequestration. The method, they explain, repeatedly accesses two “aggressor” memory locations in the process’s virtual address space, which causes bit flips in a third “victim” location.
This type of exploit works because the memory cells used in DRAM devices are being positioned closer and closer together, making it difficult to prevent electrons from jumping to different rows.
“The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software,” David Kanter, senior editor of the Microprocessor Report, told Ars Technica.
“This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack.”
Google Project Zero has taken Carnegie Mellon’s research and used it to develop an exploit that allows attackers to leverage the rohammer technique as a means of gaining kernel privileges in x86-64 Linux.
Seaborn and Dullien tested their exploit on 29 x86 laptops that use DDR3 DRAM. In at least 15 cases, they were able to subvert the systems.
By contrast, the team experienced little to no success on desktop computers, which they believe is due to the fact that these types of machines use newer RAM equipped with error-correcting memory (ECC) that can detect bit flipping.
ECC is not the only obstacle for this exploit, however. Successful attacks thus far appear to be local and not remote. Additionally, rowhammering requires 540,000 memory accesses in 64 milliseconds on predetermined DRAM rows, demands which could make this particular exploit impractical for attackers.
As more is learned about this exploit, Seaborn and Dullien are asking that companies involved in producing DRAM, CPU, and BIOS release more data on what they are doing to mitigate rowhammer-tape vulnerabilities in their devices.