Security researchers at Google’s Project Zero team have demonstrated that is possible to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.
By exploiting the technique, dubbed “rowhammer” the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically an attacker can change any value of the bit in the memory.
Researcher Mark Seaborn published a detailed analysis of the techniques to exploit the rowhammer problem.
” We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. -induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.” read the post published by Google’s Project Zero.
To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.
Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.
The researchers started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. The expert with a team of colleagued demonstrated that, by repeatedly accessing two “aggressor” memory locations within the process’s virtual address space, they can cause bit flips in a third, “victim” location.
“The victim location is potentially outside the virtual address space of the process — it is in a different DRAM row from the aggressor locations, and hence in a different 4k page (since rows are larger than 4k in modern systems). As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.” states the blog post from Project Zero.
In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.
The Project Zero hacking elite team has demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.
Below the details of the two attacks:
The team of experts at Project Zero provided also provided instruction to mitigate the rowhammer flaw and in particular the kernel privilege escalation attack.
Researchers changed Native Client to disallow the x86 CLFLUSH instruction that is necessary for the success of the exploit.
“We have mitigated this by changing NaCl to disallow the CLFLUSH instruction.” suggested the team.
A mitigation for the second exploit is very hard to achieve on existing machines, the second exploit runs as a normal x86-64 process on Linux and escalates privilege to gain access to all of physical memory.
The experts tested the exploits on eight x86 notebook computers, produced between 2010 and 2014, and using five different vendors of DDR3 DRAM on five different CPU families. Project Zero released the “Program for testing for the DRAM “rowhammer” problem” on Github.
Seaborn tested the exploits on 29 different machines and obtained a bit flip in 15 cases, the worrying news is that the lack of an observed bit flip does not mean that the DRAM isn’t necessarily exploitable.
“While an absence of bit flips during testing on a given machine does not automatically imply safety, it does provide some baseline assurance that causing bit flips is at least difficult on that machine,” Seaborn said.
A possible defense against the rowhammer exploitation attack is the use of ECC memory that uses extra bits to help correct errors, but that is more expensive. The attack is not effective against the latest DDR4 silicon or DIMMs that contain ECC capabilities.
“The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines. In particular, there seems to be a danger with Google’s native client (NaCl) code execution. This a clever sandbox that allows the running of native code within the Chrome browser, so that web pages can run software as fast as native software on the system. This memory corruption defeats one level of protection in NaCl. Nobody has yet demonstrated how to use this technique in practice to fully defeat NaCl, but it’s likely somebody will discover a way eventually,” said researcher Robert Graham of Errata Security.
The project Zero team is urging DRAM manufacturers, chip makers, and BIOS creators adopt the necessary measures to mitigate rowhammer security issues and divulge how they have done it.
(Security Affairs – Rowhammer, hacking)