• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Exploiting the Rowhammer flaw in DRAM to control your PC

Exploiting the Rowhammer flaw in DRAM to control your PC

Pierluigi Paganini March 11, 2015

Researchers at Google’s Project Zero have demonstrated how to exploit Rowhammer problem in DRAM to gain kernel privileges on Linux systems.

Security researchers at Google’s Project Zero team have demonstrated that is possible to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.

By exploiting the technique, dubbed “rowhammer” the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically an attacker can change any value of the bit in the memory.

Rowhammer 2

Researcher Mark Seaborn published a detailed analysis of the techniques to exploit the rowhammer problem.

” We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. -induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.” read the post published by Google’s Project Zero.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.

The researchers started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. The expert with a team of colleagued demonstrated that, by repeatedly accessing two “aggressor” memory locations within the process’s virtual address space, they can cause bit flips in a third, “victim” location.

“The victim location is potentially outside the virtual address space of the process — it is in a different DRAM row from the aggressor locations, and hence in a different 4k page (since rows are larger than 4k in modern systems). As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.” states the blog post from Project Zero.

In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.

The Project Zero hacking elite team has demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.

Below the details of the two attacks:

  1. First, Page table entries (PTEs) based exploit uses rowhammer induced bit flips to achieve kernel privileges on x86-64 Linux and hence, gain read-write access to entire of physical memory.
  2. Second exploit demonstrates the exploitation of same vulnerability by escaping from the Native Client sandbox.

The team of experts at Project Zero provided also provided instruction to mitigate the rowhammer flaw and in particular the kernel privilege escalation attack.

Researchers changed Native Client to disallow the x86 CLFLUSH instruction that is necessary for the success of the exploit.

“We have mitigated this by changing NaCl to disallow the CLFLUSH instruction.” suggested the team.

A mitigation for the second exploit is very hard to achieve on existing machines, the second exploit runs as a normal x86-64 process on Linux and escalates privilege to gain access to all of physical memory.

The experts tested the exploits on eight x86 notebook computers, produced between 2010 and 2014, and using five different vendors of DDR3 DRAM on five different CPU families. Project Zero released the “Program for testing for the DRAM “rowhammer” problem” on Github.

Seaborn tested the exploits on 29 different machines and obtained a bit flip in 15 cases, the worrying news is that the lack of an observed bit flip does not mean that the DRAM isn’t necessarily exploitable.

“While an absence of bit flips during testing on a given machine does not automatically imply safety, it does provide some baseline assurance that causing bit flips is at least difficult on that machine,” Seaborn said.

A possible defense against the rowhammer exploitation attack is the use of ECC memory that uses extra bits to help correct errors, but that is more expensive. The attack is not effective against the latest DDR4 silicon or DIMMs that contain ECC capabilities.

“The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines. In particular, there seems to be a danger with Google’s native client (NaCl) code execution. This a clever sandbox that allows the running of native code within the Chrome browser, so that web pages can run software as fast as native software on the system. This memory corruption defeats one level of protection in NaCl. Nobody has yet demonstrated how to use this technique in practice to fully defeat NaCl, but it’s likely somebody will discover a way eventually,” said researcher Robert Graham of Errata Security.

The project Zero team is urging DRAM manufacturers, chip makers, and BIOS creators adopt the necessary measures to mitigate rowhammer security issues and divulge how they have done it.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Rowhammer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

you might also like

Pierluigi Paganini June 29, 2025
Facebook wants access to your camera roll for AI photo edits
Read more
Pierluigi Paganini June 29, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Facebook wants access to your camera roll for AI photo edits

    Social Networks / June 29, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

    Breaking News / June 29, 2025

    Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / June 29, 2025

    The FBI warns that Scattered Spider is now targeting the airline sector

    Cyber Crime / June 28, 2025

    LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

    Malware / June 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT