RAMBleed, a new Side-Channel Attack that allows stealing sensitive data

Pierluigi Paganini June 12, 2019

Security researchers disclosed the details of RAMBleed, a new type of side-channel attack on DRAM that can allow stealing sensitive data from a memory.

A team of academics from several universities has disclosed the details a new type of side-channel attack on dynamic random-access memory (DRAM), dubbed RAMBleed. The RAMBleed issue, tracked as CVE-2019-0174, could be used by attackers to potentially obtain from the system’s memory sensitive data.

RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well.” wrote the experts.

rambleed

RAMBleed is based on the Rowhammer attack technique devised by researchers at the Google Project Zero team back in 2015.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.

The researchers at Google Project Zero started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. 

In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.

The Project Zero hacking elite team demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.

Now researchers from the University of Michigan, Graz University of Technology and University of Adelaide demonstrated that an attacker with limited privileges can use a Rowhammer attack to deduce bits in nearby rows. This means that an attacker could obtain data associated with other processes and the kernel.

Previous Rowhammer attack techniques were based on write side-channels, attackers leverage persistent bit flips that can be mitigated by error-correcting code (ECC) memory. RAMBleed is different because it relies on a read side-channel and it does not require persistent bit flips.

“It is widely assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations. We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel.” reads the research paper. “More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel.”

The researchers developed new memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row, In this was they caused the bit flips in the attacker’s rows to depend on the values of the victim’s secret data.

“The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” added the researchers.

The experts RAMBleed demonstrated the RAMBleed attack by targeting OpenSSH and leaking a 2048-bit RSA key, of course it is just a possible target but the technique could be used to steal other potentially sensitive data.

RAMBleed is effective work against devices using DDR3 and DDR4 memory modules, but it potentially works with many other computers.

Experts suggest to upgrade memory modules to DDR4 with targeted row refresh (TRR) enabled, because it makes hard the exploitation of the flaw.

At the time there is no evidence that RAMBleed has been exploited in attacks in the wild.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – RAMBleed, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment