A team of academics from several universities has disclosed the details a new type of side-channel attack on dynamic random-access memory (DRAM), dubbed RAMBleed. The RAMBleed issue, tracked as CVE-2019-0174, could be used by attackers to potentially obtain from the system’s memory sensitive data.
To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.
Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.
The researchers at Google Project Zero started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”.
In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.
The Project Zero hacking elite team demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.
Now researchers from the University of Michigan, Graz University of Technology and University of Adelaide demonstrated that an attacker with limited privileges can use a
Previous Rowhammer attack techniques were based on write side-channels, attackers leverage persistent bit flips that can be mitigated by error-correcting code (ECC) memory. RAMBleed is different because it relies on a read side-channel and it does not require persistent bit flips.
“It is widely assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations. We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel.” reads the research paper. “More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel.”
The researchers developed new memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row, In this was they caused the bit flips in the attacker’s rows to depend on the values of the victim’s secret data.
“The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” added the researchers.
The experts RAMBleed demonstrated the RAMBleed attack by targeting OpenSSH and leaking a 2048-bit RSA key, of course it is just a possible target but the technique could be used to steal other potentially sensitive data.
RAMBleed is effective work against devices using DDR3 and DDR4 memory modules, but it potentially works with many other computers.
Experts suggest to upgrade memory modules to DDR4 with targeted row refresh (TRR) enabled, because it makes hard the exploitation of the flaw.
At the time there is no evidence that RAMBleed has been exploited in attacks in the wild.