“RAMBleed Reading Bits in Memory Without Accessing Them.”
A team of security researchers has published a report on a relatively advanced and previously undetected variant of the Rowhammer attack called RAMBleed. Researchers claim that the new variant can be used for reading the contents of the physical memory instead of merely modifying it as it happens in every other attack.
Rawhammer is a cause of concern for security fraternity since it is an exploitable issue present in computer chips. Using this attack, hackers can easily and repeatedly access dynamic random-access memory (DRAM) rows or hammer.
This helps the attacker in inducing bit flips in other rows to enable them to perform miscellaneous functions such as obtaining root privileges, compromising Linux virtual machines on cloud servers, evading sandboxes, and remotely attacking Android devices to name a few.
RAMBleed uses Rowhammer attack to steal confidential data stored in the memory of a computer. Researchers successfully used the new Rowhammer variant for obtaining a signing key from an OpenSSH server. They didn’t use elevated user privileges to fulfill this task and in the end, they managed to read data that is stored in the physical memory of the computer. Previously, to carry out Rowhammer attack and make changes to the data, elevated privileges were necessary.
Researchers explained on the website rambleed.com that RAMBleed basically is a “side-channel” attack that allows an attacker to read physical memory of “other processes;” they also revealed that RAMBleed can read any type of data in the memory depending on the memory access patterns of the victim’s installed programs.
“RAMBleed is different in that it uses Rowhammer for reading data stored inside the computer’s physical memory. As the physical memory is shared among all process in the system, this puts all processes at risk,” the researchers wrote.
Moreover, Rowhammer doesn’t write side-channels but RAMBleed does by ensuring persistent bit flips. Researchers revealed that their read channel was a success even when the error-correcting code/ECC memory was protecting every single bit flip.
The implications of violation of arbitrary privilege boundaries are various and wide-ranged, researchers noted. These implications may vary in their severity as per the nature of software running on the targeted machine.
“In our paper [PDF], we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.”
For their study, the team of researchers targeted Linux machines; they firstly abused the Linux buddy allocator for accessing consecutive memory pages. Afterward, they located and recorded the bits to be flipped with Rowhammer using what they refer to as the Frame Feng Shui technique. This is how they managed to manipulate physical memory allocator to move the memory page in their desired location. With the use of RAMBleed attack, they could extract the memory bits from the computer.
The team of researchers comprised of University of Michigan’s Andrew Kwong and Daniel Genkin, Graz University of Technology’s Daniel Gruss, University of Adelaide and Data61’s Yuval Yarom. The entire team unanimously affirmed [PDF] that this isn’t a real threat because it only can affect systems that use DIMMs that are susceptible to Rowhammer and vulnerable to RAMBleed.
There are many limitations that make the attack process ineffective such as the victim process is required to allocate memory in a predictable manner and reading memory rate is around 3-4 bits/sec. However, further research may make it a lot more effective in the near future. To prevent the threat, researchers urge that users and memory manufacturers should:
“[Upgrade] their memory to DDR4 with targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have been demonstrated on TRR, it is harder to accomplish in practice. Memory manufacturers can help mitigate this issue by more rigorously testing for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR implementations will facilitate a stronger development process as security researchers probe such implementations for weaknesses”
The study was carried out with the support of Intel while the researchers have informed Microsoft, Apple, AMD, Red Hat and OpenSSH about their findings.