Three years after Rowhammer was first revealed, two European researchers discuss new techniques that leverage the notorious DRAM flaw
Two new variants of Rowhammer were disclosed last week – both of which enable remote attacks on vulnerable systems.
Those who remember Rowhammer, disclosed back in 2015, will know that the vulnerability can exploit devices using dynamic random access memory (DRAM).
By repeatedly accessing – or ‘hammering’ – a row of memory cells, bits in an adjacent line can be flipped, therefore changing the data.
Rowhammer was one of the more interesting disclosures of the past few years, as its hardware nature allows attacks against systems with secure software.
But now, two more similar flaws have been unveiled – and they could prove to be even more severe.
Under the hammer
Dubbed Throwhammer and Nethammer, these two vulnerabilities have proven it’s possible to exploit the Rowhammer flaw remotely.
Throwhammer can trigger bit flips, as in Rowhammer, by sending network packets to the affected device at a high speed, without the need to access the machine via code injection or a malicious website.
Worryingly, this new technique can also exploit servers that do not run untrusted code.
Herbert Bos, researcher at Vrije Universiteit, Amsterdam, which joint authored the report with the University of Cyprus, explained to The Daily Swig: “It was generally assumed [that to be successful] required an attacker’s code executing on the victim machine.
“For instance, a native application, a co-hosted VM, or in an extreme case, JavaScript in a browser. Phrased differently: servers were safe.
“Not anymore. Throwhammer shows that just sending network packets to an affected computer at a fairly high speed, is enough to trigger bit flips and exploit a server.
“The reason is that the server receives the packets and writes them to memory, thereby accessing DRAM at high frequency (similar to a local attack), leading to the Rowhammer phenomenon.”
Nethammer can also trigger it remotely by using a similar attack method.
As with Throwhammer, an attacker doesn’t need direct access to the machine in order to exploit it – but the key difference lies in the way an assault is carried out.
While Throwhammer can only be carried out on machines using RDMA, Nethammer exploits intel CAT.
Researcher Moritz Lipp, of the University of Graz, Austria, who helped to discover the flaw, told The Daily Swig: “Throwhammer makes use of RDMA network cards and we utilize Intel CAT to induce bitflips remotely.
“So two different techniques are used achieving similar results.”
The original Rowhammer technique could be used by an attacker who already has limited access to a system to escalate their privileges.
Nethammer could also be used to achieve this result, Lipp commented – but the execution is no easy feat.
He added: “The attacker cannot control where the bit flip occurs and has no imminent way to check which memory areas they occur in, as they don’t control any code on the device.
“Thus, mounting controlled attacks to gain privilege escalation is rather difficult.”
As Bos noted, both attacks have limitations that hinder their widespread applicability in the short term.
He said: “In particular, Throwhammer can only be mounted against machines that use RDMA, a technology still absent on consumer platforms, but already common today in data centers.
“Nethammer, on the other hand, can only be mounted against machines that use a specific configuration of Intel CAT, with no instances known in today's production systems.”
Both research teams, which carried out their work independently from each other, advised computer users to protect against attacks by choosing a system that uses error-correcting code (ECC) memory.
ECC can identify and correct internal data corruption, and so far no Rowhammer attacks have been successful on machines employing it.
Bos noted: “Also, at the moment, no Rowhammer attacks have been effective if the system uses ECC memory. This memory is typically found in more expensive systems.
“If you have this or are able to use this, this will certainly make such attacks very hard.”