A team of academic researchers has discovered a follow-on to the Rowhammer class of attacks that allows attackers to read memory data on a target Windows computer, without actually accessing the memory itself. The method is dubbed RAMBleed.
Andrew Kwong and Daniel Genkin at the University of Michigan, Daniel Gruss at Graz University of Technology and Yuval Yarom at University of Adelaide have disclosed the attack method, which, by observing Rowhammer-induced bit flips in memory, can deduce the values in nearby dynamic random-access memory (DRAM) rows.
The original 2015 Rowhammer flaw is a method for repeatedly hammering on rows of cells of memory in devices to induce cells to flip from one state to another. Specifically, repeated accesses to rows in DRAM can lead to bit flips in neighboring rows (not only the direct neighbors), even if these neighboring rows are not accessed, according to the researchers.
Attackers can exploit these cross-process bit flips for a myriad of purposes, including privilege escalation and complete device takeover. Google’s Project Zero initially discovered the Rowhammer vulnerability and showed how a malicious app could produce these bit flips in cells and gain kernel-level privileges to laptops and PCs.
RAMBleed (CVE-2019-0174) is taking a new approach, using Rowhammer as a read side-channel to access the bits that “bleed” out of the RAM.
“Previous attacks exploited the Rowhammer effect to write (or flip) bits in the victim’s memory. RAMBleed is different in that it uses Rowhammer for reading data stored inside the computer’s physical memory,” the researchers explained in a write-up on the attack, posted Tuesday. “As the physical memory is shared among all process in the system, this puts all processes at risk.”
In a proof-of-concept (PoC) end-to-end attack, researchers demonstrated that they could read an OpenSSH 7.9 RSA key – and potentially any data stored in memory – via a Rowhammer as a side channel.
“Rowhammer-induced bit flips are data-dependent, i.e. a bit is more likely to flip when the bits above and below it have the opposite charge,” the researchers explained. “This creates a data-dependent side-channel, wherein an attacker can deduce the values of bits in nearby rows by observing bit flips in her own memory rows. Finally, as the data in nearby rows might belong to a different process, this leakage breaks the isolation boundaries enforced by the operating system.”
To develop an exploit, the team placed the victim’s secret data in the rows above and below the attacker’s memory row. This causes the bit flips in the attacker’s rows to depend on the values of the victim’s secret data.
“The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” the researchers said.
The team said that any system that uses Rowhammer-susceptible dual in-line memory modules (DIMMs) is vulnerable. That extends beyond PCs to Android devices; in 2016, researchers figured out how the PC-based Rowhammer attack technique could be applied to Android devices and give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola. And in 2018, researchers demonstrated direct memory access (DMA)-based Rowhammer attacks against the latest Android OS, consisting of a root exploit, and a series of app-to-app exploit scenarios that bypass all defenses.
“We suspect that many classes of computers are susceptible to RAMBleed,” said the researchers.
RAMBleed attackers must be local, making for a low-severity CVSS v.3 rating of 3.8 (researchers said they considered in-the-wild attacks to be “unlikely”). Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled, according to the research.
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.