The Hacker News Logo
Subscribe to Newsletter

DRAM Rowhammer vulnerability Leads to Kernel Privilege Escalation

dram-rowHammer-vulnerability
Security researchers have find out ways to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips and gaining higher kernel privileges on the system.

The technique, dubbed "rowhammer", was outlined in a blog post published Monday by Google's Project Zero security initiative, a team of top security researchers dedicatedly identifies severe zero-day vulnerabilities in different software.

Rowhammer is a problem with recent generation DRAM chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row which could allow anyone to change the value of contents stored in computer memory.

WHAT IS ROWHAMMER BUG
DDR memory is arranged in an array of rows and columns, which are assigned to various services, applications and OS resources in large blocks. In order to prevent each application from accessing the memory of other application, they are kept in a "sandbox" protection layer.

However, Sandbox protection can be bypassed using Bit flipping technique in which a malicious application needs to repeatedly access adjacent rows of memory in a tiny fraction of a second.

As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.
With enough accesses, this can change a cell’s value from 1 to 0 or vice versa. In other words, the selected zero area will be transferred to the victims, or vice versa.” researchers explained.
The Bit flipping technique was first presented in an experimental study paper published by Carnegie Mellon University, entitled, "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors."

Bit flipping technique shouldn’t be confused with Buffer overflow or use-after-free memory corruption techniques where an attacker funnels malicious shellcode into protected regions of victim’s computer. 


TWO WORKING EXPLOITS DEMONSTRATE THE FLAW
As we know, DRAM manufacturing scales down chip features to smaller physical dimensions. Latest Technology demands more memory capacity onto a chip, so it has become harder to prevent DRAM cells from interacting electrically with each other.

The Project Zero team has folded such bit flipping into an actual attack by demonstrating two proof-of-concept exploits that successfully take over control of many x86 computers running Linux and believes the same could be done with other operating systems as well.
  1. First, Page table entries (PTEs) based exploit uses rowhammer induced bit flips to achieve kernel privileges on x86-64 Linux and hence, gain read-write access to entire of physical memory.
  2. Second exploit demonstrates the exploitation of same vulnerability by escaping from the Native Client sandbox.
MITIGATION TECHNIQUES
Cyber Security experts also provided a way to mitigate kernel privilege escalation attack. Researchers changed Native Client to disallow the x86 CLFLUSH instruction that’s required to make the first exploit works. 

Whereas, preventing the Row Hammer exploit with the second proof-of-concept is a more difficult task to achieve on existing machines.

With the help of above exploits, the Project Zero team conducted tests on eight models of x86 notebook computers, built between 2010 and 2014, using five different vendors of DDR3 DRAM and five different CPU families. A large subset of these machines i.e. 15 out of 29 were found to be vulnerable.

The above attack doesn't work against the latest DDR4 silicon or DIMMs that contain ECC (error correcting code) capabilities.

Project Zero team is asking DRAM manufacturers, CPU makers, and BIOS creators to release details about the steps they've taken to mitigate rowhammer-like security issues on their products.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.