To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.

The researchers started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. The expert with a team of colleagued demonstrated that, by repeatedly accessing two “aggressor” memory locations within the process’s virtual address space, they can cause bit flips in a third, “victim” location.

“The victim location is potentially outside the virtual address space of the process — it is in a different DRAM row from the aggressor locations, and hence in a different 4k page (since rows are larger than 4k in modern systems). As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.” states the blog post from Project Zero.

In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.

The Project Zero hacking elite team has demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.

Below the details of the two attacks:

1. First, Page table entries (PTEs) based exploit uses rowhammer induced bit flips to achieve kernel privileges on x86-64 Linux and hence, gain read-write access to entire of physical memory.
2. Second exploit demonstrates the exploitation of same vulnerability by escaping from the Native Client sandbox.

The team of experts at Project Zero provided also provided instruction to mitigate the rowhammer flaw and in particular the kernel privilege escalation attack.

Researchers changed Native Client to disallow the x86 CLFLUSH instruction that is necessary for the success of the exploit.

“We have mitigated this by changing NaCl to disallow the CLFLUSH instruction.” suggested the team.

A mitigation for the second exploit is very hard to achieve on existing machines, the second exploit runs as a normal x86-64 process on Linux and escalates privilege to gain access to all of physical memory.

The experts tested the exploits on eight x86 notebook computers, produced between 2010 and 2014, and using five different vendors of DDR3 DRAM on five different CPU families. Project Zero released the “Program for testing for the DRAM “rowhammer” problem” on Github.

Seaborn tested the exploits on 29 different machines and obtained a bit flip in 15 cases, the worrying news is that the lack of an observed bit flip does not mean that the DRAM isn’t necessarily exploitable.

“While an absence of bit flips during testing on a given machine does not automatically imply safety, it does provide some baseline assurance that causing bit flips is at least difficult on that machine,” Seaborn said.

A possible defense against the rowhammer exploitation attack is the use of ECC memory that uses extra bits to help correct errors, but that is more expensive. The attack is not effective against the latest DDR4 silicon or DIMMs that contain ECC capabilities.

“The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines. In particular, there seems to be a danger with Google’s native client (NaCl) code execution. This a clever sandbox that allows the running of native code within the Chrome browser, so that web pages can run software as fast as native software on the system. This memory corruption defeats one level of protection in NaCl. Nobody has yet demonstrated how to use this technique in practice to fully defeat NaCl, but it’s likely somebody will discover a way eventually,” said researcher Robert Graham of Errata Security.

The project Zero team is urging DRAM manufacturers, chip makers, and BIOS creators adopt the necessary measures to mitigate rowhammer security issues and divulge how they have done it.

Pierluigi Paganini

(Security Affairs –  Rowhammer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]