'Rowhammer' attack flips bits in memory to root Linux

Ouch! Google crocks capacitors and deviates DRAM to take control of the kernel

80 Reg comments Got Tips?

Last summer Google gathered a bunch of leet security researchers as its Project Zero team and instructed them to find unusual zero-day flaws. They've had plenty of success on the software front – but on Monday announced a hardware hack that's a real doozy.

The technique, dubbed "rowhammer", rapidly writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system. By repeatedly recharging one line of RAM cells, bits in an adjacent line can be altered, thus corrupting the data stored.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges.

The Project Zero team has now built two working exploits that successfully hijack control of many x86 computers running Linux, and say they could do the same with other operating systems.

The proof-of-concept exploit code flips bits in RAM to alter the page tables for a process, allowing an attacker to gain access to all physical RAM including the kernel's. From this point, memory protection mechanisms and other security measures can be bypassed, and structures within the operating system tampered with to take over the machine.

"One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process," the team reports.

"When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory."

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that's easier to corrupt.

Successful attacks against servers – particularly ones that cut corners with their RAM – are not impossible.

"There are some cheap hosting environments where this is possible, running cheap servers without ECC memory, with separate user accounts instead of using virtual machines," explained Rob Graham from Errata Security. "However, such environments tend to be so riddled with holes that there are likely easier routes to exploitation than this one."

The Google team also said that newer firmware versions change how the BIOS configures the CPU’s memory controller to reduce the effectiveness of rowhammer attacks by increasing the DRAM refresh rate. This increased the time to crack the system from five to 40 minutes, but still the system fell.

The team has released code to Github that can be used to test Linux and Mac OS X systems for the vulnerability, and has set up a mailing list for researchers to expand on its results. ®


Keep Reading

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Like Inception, but expensive and disappointing. So... just like Inception

Google Cloud ushers in the rise of the machine... images. You know, to capture and recreate VM snapshots?

Handy for capturing multi-disk VMs but limited restoration capabilities

Make sure you've patched your F5 BIG-IP gear. Exploit code for scary bug pair is so trivial, it fits in a tweet

In Brief Plus: What? No. No way. People would just do that? Go on Tor and use it to commit crimes?

Bad news: Google drops macOS zero-day after Apple misses bug deadline. Good news: It's fiddly to exploit

Step one: Run malware on your victim's machine. Step two: Mount some storage...

Virtual machines, real problems: VMware fixes bug trio including guest-to-host hole in Workstation, Fusion

Finally, something that isn't coronavirus related [delete this – ed.]

Google Cloud partially evaporates for hours amid power supply failure: Two US East Coast zones rattled

Networking, Kubernetes, storage, virtual machine systems hit by outage

Fellow AI nerds, beware: Google Cloud glitch leaves Nvidia T4 GPUs off estimated bills for some virtual machines

Wow, cool, they look free to use... *checks invoice the next day* ...They most certainly were not free

You know what would look great on our database? Your machine learning model: GPUs and unstructured data on the menu for Exasol as it tries to unify BI and ML

Keeping up in performance stakes vital as data science sector explodes, says analyst

Biting the hand that feeds IT © 1998–2020