Rowhammer Variant Bypasses Countermeasures
Written by Karolis Liucveikis on
Security researchers have developed a variant of the Rowhammer malware that is able to bypass all the current countermeasures proposed for such an attack. The blanket term Rowhammer has come to describe a security exploit that takes advantage of the fact that hardware vendors are cramming too many memory cells together on the same boards in order to make smaller components with larger memory storage. An attacker can exploit this by bombarding RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge. This means that the stored data can be modified from 1 to 0, or alternatively 0 to 1, thus altering information stored on the computer. By altering the stored information in such a way the attacker is able to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.
Latest variant
In a new paper which was published this past Monday by researchers who have worked previously discovering Rowhammer related exploits, found a way to launch attacks capable of bypassing all recent mitigations put in place by hardware vendors. In order to bypass the countermeasures currently employs the researchers narrowed down the Rowhammer data bombardment to one single row of memory cells, instead of multiple locations. The researchers explained, “We do not hammer multiple DRAM rows but only keep one DRAM row constantly open… Our new exploitation technique [...] bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries.” According to the research team’s results, a similar style attack can take between 44.4 to 137.8 hours, but this shouldn't be a problem if an attacker targets online servers and cloud providers, most of which have 99.9% uptime.
In the paper titled “Another Flip in the Wall of Rowhammer Defenses.”, the researchers also abused a feature incorporated by Intel to protect against such attacks called Intel SGX (Software Guard Extensions), “to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible.” This revised Rowhammer attack is capable of carrying out denial-of-service attacks on cloud environments, but also for privilege escalation on personal computers.
Past discoveries of Rowhammer exploits
It is not only traditional RAM memory chips that can be bombarded to change data, research released earlier this year showed that Solid State Drives (SSD) are also susceptible to similar styled Rowhammer attacks. This rewriting of data is done by a process termed “program interference”, this occurs when an attacker manages to write data with a certain pattern to a target's SSD. The data pattern generated by the attack causes the MLC's programming logic to cause 4.9 more errors than usual, which comes with the side-effect of triggering interference in neighboring NAND flash memory cells. NAND flash memory chips are the building blocks of solid-state drives (SSDs). Unlike RAM chips NAND chips are non-volatile, meaning they don't lose their electrical charge (aka the user's data) after the computer is shut off. With SSDs since 2015 incorporating multi-level cell (MLC) programming made them vulnerable to a data pattern attack.
SSDs are also vulnerable to the second type of attack termed “read disturb”. In this instance attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of “read disturb errors.” Read disturb errors corrupt both pages that are already written to partially-programmed wordlines and pages that have yet to be written. This, in turn, can destroy the SSDs ability to store data reliably.
Since the discovery of Rowhammer attacks came to light in 2014 security researchers across the globe began looking into the potential issue. In numerous papers published since 2014, it has been determined that:
- Rowhammer attacks work against DDR3 and DDR4 memory cards
- Rowhammer attacks can be done with mundane JavaScript and not necessarily via specialized malware
- Attackers could take over Windows machines by attacking Edge with a Rowhammer attack
- Attackers could use Rowhammer to take over Linux-based virtual machines installed in cloud hosting providers
- Attackers could use a Rowhammer attack to root Android devices
Industry’s response to the problem
Given that so much research was dedicated to the problem that could unleash a wide variety of possible attacks via hardware, similar attacks could reduce the lifespan of the hardware itself. Manufacturers began to incorporate countermeasures suggested by the researchers. In summary, the following countermeasures have been incorporated by manufactures since 2014:
- Monitoring CPU performance counters for frequent accesses to DRAM cells
- Monitoring memory access patterns for unusual high-frequency accesses of memory cells in the same DRAM bank
- Static analysis of binary code for common Rowhammer code
- Preventing abuse of memory exhaustion pages
- User and kernel memory cells are physically isolated through the memory allocator, preventing Rowhammer attack code from affecting kernel memory pages
Even Intel was listening and the tech giant began implementing changes to help prevent their processors from being abused. In July of this year, Intel announced it would be releasing the Intel Core i9 7900X with modified architecture. The modified architecture is believed by researchers to make exploitation of side-channel attacks a lot harder. This improvement in CPU security is attributed to a new cache architecture that Intel developed for the Knights microarchitecture and Skylake server CPU models, and which Intel added to i9, a line of CPU models for HEDT (High-End-DeskTop) products. Malware analyst Anders Fogh stated that the small modifications will block Flush+Flush attacks and some of the Rowhammer attacks, but not CLFlush and Flush+Reload. Further, he mentioned, “Having a non-inclusive L3 cache is significantly more secure from a side channel perspective than an inclusive in cross core scenarios. This opens up for defending these attacks, by isolating different security domains on different cores potentially dynamically. While flush+reload is likely to be unaffected, this attack is also the easiest to thwart in real life scenarios as avoiding shared memory cross security domains is an available and effective countermeasure.”
While the new processor will mark an improvement in security, only high-end products will benefit initially from the improvements. Middle to low-end price bracketed products might have to wait a while longer to see such benefits incorporated.
▼ Show Discussion