'Rowhammer' attack flips bits in memory to root Linux

Ouch! Google crocks capacitors and deviates DRAM to take control of the kernel


Last summer Google gathered a bunch of leet security researchers as its Project Zero team and instructed them to find unusual zero-day flaws. They've had plenty of success on the software front – but on Monday announced a hardware hack that's a real doozy.

The technique, dubbed "rowhammer", rapidly writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system. By repeatedly recharging one line of RAM cells, bits in an adjacent line can be altered, thus corrupting the data stored.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges.

The Project Zero team has now built two working exploits that successfully use the aforementioned technique to hijack control of x86 computers running Linux, and say they could do the same with other operating systems. This work is based on research [PDF] by Kim et al at Carnegie Mellon University and Intel.

The proof-of-concept exploit code flips bits in RAM to alter the page tables for a process, allowing an attacker to gain access to all physical RAM including the kernel's. From this point, memory protection mechanisms and other security measures can be bypassed, and structures within the operating system tampered with to take over the machine.

"One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process," the team reports.

"When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory."

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that's easier to corrupt.

Successful attacks against servers – particularly ones that cut corners with their RAM – are not impossible.

"There are some cheap hosting environments where this is possible, running cheap servers without ECC memory, with separate user accounts instead of using virtual machines," explained Rob Graham from Errata Security. "However, such environments tend to be so riddled with holes that there are likely easier routes to exploitation than this one."

The Google team also said that newer firmware versions change how the BIOS configures the CPU’s memory controller to reduce the effectiveness of rowhammer attacks by increasing the DRAM refresh rate. This increased the time to crack the system from five to 40 minutes, but still the system fell.

The team has released code to Github that can be used to test Linux and Mac OS X systems for the vulnerability, and has set up a mailing list for researchers to expand on its results. ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022