The Hacker News — Cyber Security, Hacking, Technology News

Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.

If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing attackers to change the contents of the memory.

The issue has since been exploited in a number of ways to escalate an attacker's privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.

However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.

This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.

The resulting data corruption can then be manipulated by the attacker to gain control over the victim's system.

"To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache," the researcher paper [PDF] reads.

Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.

Researchers tested Nethammer for the three cache-bypass techniques:

• A kernel driver that flushes (and reloads) an address whenever a packet is received.
• Intel Xeon CPUs with Intel CAT for fast cache eviction
• Uncached memory on an ARM-based mobile device.

All three scenarios are possible, researchers showed.

In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.

For more in-depth details on the new attack technique, you can head on to this paper, titled "Nethammer: Inducing Rowhammer Faults through Network Requests," published by the researchers earlier this week.

Exploitation of Rowhammer attack just got easier.

Dubbed ‘Throwhammer,’ the newly discovered technique could allow attackers to launch Rowhammer attack on the targeted systems just by sending specially crafted packets to the vulnerable network cards over the local area network.

Known since 2012, Rowhammer is a severe issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing anyone to change the contents of computer memory.

The issue has since been exploited in a number of ways to achieve remote code execution on the vulnerable computers and servers.

Just last week, security researchers detailed a proof-of-concept Rowhammer attack technique, dubbed GLitch, that leverages embedded graphics processing units (GPUs) to carry out Rowhammer attacks against Android devices.

However, all previously known Rowhammer attack techniques required privilege escalation on a target device, meaning attackers had to execute code on targeted machines either by luring victims to a malicious website or by tricking them into installing a malicious app.

Unfortunately, this limitation has now been eliminated, at least for some devices.

Researchers at the Vrije Universiteit Amsterdam and the University of Cyprus have now found that sending malicious packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards equipped with Remote Direct Memory Access (RDMA), which is commonly used in clouds and data centers.

Since RDMA-enabled network cards allow computers in a network to exchange data (with read and write privileges) in the main memory, abusing it to access host’s memory in rapid succession can trigger bit flips on DRAM.

"We rely on the commonly-deployed RDMA technology in clouds and data centers for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers," researchers said in a paper [PDF] published Thursday.

"These corruptions allow us to compromise a remote Memcached server without relying on any software bug."

Since triggering a bit flip requires hundreds of thousands of memory accesses to specific DRAM locations within tens of milliseconds, a successful Throwhammer attack would require a very high-speed network of at least 10Gbps.

In their experimental setup, researchers achieved bit flips on a targeted server after accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-enabled network card.

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.

For more in-depth details on the new attack technique, you can head on to this paper [PDF], titled "Throwhammer: Rowhammer Attacks over the Network and Defenses," published by the researchers on Thursday.