'Rowhammer' attack flips bits in memory to root Linux
Ouch! Google crocks capacitors and deviates DRAM to take control of the kernel
Last summer Google gathered a bunch of leet security researchers as its Project Zero team and instructed them to find unusual zero-day flaws. They've had plenty of success on the software front – but on Monday announced a hardware hack that's a real doozy.
The technique, dubbed "rowhammer", rapidly writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system. By repeatedly recharging one line of RAM cells, bits in an adjacent line can be altered, thus corrupting the data stored.
This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges.
The Project Zero team has now built two working exploits that successfully use the aforementioned technique to hijack control of x86 computers running Linux, and say they could do the same with other operating systems. This work is based on research [PDF] by Kim et al at Carnegie Mellon University and Intel.
The proof-of-concept exploit code flips bits in RAM to alter the page tables for a process, allowing an attacker to gain access to all physical RAM including the kernel's. From this point, memory protection mechanisms and other security measures can be bypassed, and structures within the operating system tampered with to take over the machine.
"One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process," the team reports.
"When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory."
The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.
While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that's easier to corrupt.
Successful attacks against servers – particularly ones that cut corners with their RAM – are not impossible.
"There are some cheap hosting environments where this is possible, running cheap servers without ECC memory, with separate user accounts instead of using virtual machines," explained Rob Graham from Errata Security. "However, such environments tend to be so riddled with holes that there are likely easier routes to exploitation than this one."
The Google team also said that newer firmware versions change how the BIOS configures the CPU’s memory controller to reduce the effectiveness of rowhammer attacks by increasing the DRAM refresh rate. This increased the time to crack the system from five to 40 minutes, but still the system fell.