RAMBleed picks up Rowhammer, smashes DRAM until it leaks apps' crypto-keys, passwords, other secrets

Boffins blast boards to boost bits

Bit boffins from Australia, Austria, and the US have expanded upon the Rowhammer memory attack technique to create more dangerous variation called RAMBleed that can expose confidential system memory.

The memory integrity issue tied to Rowhammer was known to Intel since at least 2012 and began to be explored in academic research in 2014. The following year, Google Project Zero researchers developed an exploit technique to gain kernel privileges by repeatedly writing to memory locations into order to change adjacent memory cells – a consequence of the electrical interaction between close-packed DRAM circuitry.

In a paper released online on Tuesday – with the now obligatory vulnerability illustration and dedicated domain, rambleed.com – Andrew Kwong (University of Michigan), Daniel Genkin (University of Michigan), Daniel Gruss (Graz University of Technology, and Yuval Yarom (University of Adelaide and Data61), describe a way to use the Rowhammer technique as a side channel to read data that should be off limits rather than write it.

It demonstrates it is possible for malware or a rogue user on a system to hammer bits in RAM to read information in memory belonging to other programs and users, and thus siphon off secrets in the process. This is not particularly brilliant for multi-tenant boxes in public clouds. The research is scheduled to be presented May, 2020, at the 41st IEEE Symposium on Security and Privacy.

"As opposed to previous Rowhammer attacks, which wrote to sensitive data, RAMBleed instead reads sensitive data, thereby breaching confidentiality," said Kwong, a doctoral student, in an email to The Register.

The boffins in their paper observe that Rowhammer has been assumed to be relatively benign because there aren't really any security implications to flipping bits within one's own private memory where one already has write privileges. But they say their findings show that assumption is incorrect, and note that one of the mitigations proposed for Rowhammer – using error-correcting code (ECC) memory as a means of ensuring memory integrity – fails to block RAMBleed.

Three fingers, no more, no less

3 is the magic number (of bits): Flip 'em at once and your ECC protection can be Rowhammer'd


"After profiling the target’s memory, we show how RAMBleed can leak secrets stored within the target’s physical memory, achieving a read speed of about 3–4 bits per second," the paper said.

Kwong said that while the attack was conducted with local code execution, its scope remains an open question. "Given the sophistication of the attack, I might characterize RAMBleed as being more academic for the moment, but as history has shown, what is academic research today soon becomes everybody's problem tomorrow," he said.

The researchers say they notified Intel, AMD, OpenSSH, Microsoft, Apple, and Red Hat of their findings, which were assigned CVE-2019-0174.

To prepare the attack, on Linux machines at least, the boffins abuse the Linux buddy allocator to ensure they have access to physically consecutive memory pages. After searching for bits that can be flipped using Rowhammer and recording these, the attack template is ready.

The researchers then exploit the predictability of the Linux physical memory allocator to coerce the victim's memory page in the desired physical location, a technique they refer to as "Frame Feng Shui." They then employ the RAMBleed technique to deduce the victim's memory bits.

According to Kwong, it took almost four hours to read out enough of a 2048-bit RSA encryption key such that they could recover the rest with a variant of the Heninger-Shacham algorithm.

The paper express skepticism about existing software mitigations, noting that RAMBleed can bypass software-based integrity checks and memory partitioning schemes. Hardware-based mitigations may help, though one proposed measure, PARA (probabilistic adjacent row activation) has not been widely adopted and only offers a probabilistic (rather than consistent) security guarantee.

RAMBleed has been demonstrated on devices with DDR3 memory chips, and Rowhammer's bit flipping on DDR4 components. DDR4 supports a defensive technique called Targeted Row Refresh, but its efficacy is uncertain. "Given the closed-source nature by which TRR is implemented, it is difficult for the security community to evaluate its effectiveness," said Kwong. "While bit flips have been demonstrated on TRR before, the extent to which TRR mitigates RAMBleed remains an open question."

Other techniques that may help include memory encryption, flushing keys from memory, and a less predictable memory allocator. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Apple M1 chip contains hardware vulnerability that bypasses memory defense
    MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

    Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

    MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

    In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022