Researchers have found a new variation of the Rowhammer attack technique they have dubbed RAMpage. The vulnerability could allow an adversary to create an exploit to gain administrative control over targeted Android smartphones and tablets. The flaw impacts Android devices dating back to 2012.
RAMpage follows a string of Rowhammer variants that have come to light since 2015 when researchers initially identified the flaw in DRAM memory in laptops and PCs.
“Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector,” researchers wrote. “[Today] we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.”
Direct memory access (DMA) is defined by Techopedia as a “method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing the CPU to speed up memory operations. The process is managed by a chip known as a DMA controller (DMAC).”
The original 2015 Rowhammer flaw is a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. This type of bit flipping is also described as electrical crosstalk or transistor leakage. Google’s Project Zero initially discovered the Rowhammer vulnerability and showed how a malicious app could produce these bit flips in cells and gain kernel-level privileges to laptops and PCs.
In 2016, researchers figured out how the PC-based Rowhammer attack technique could be applied to Android devices and give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.
This Drammer attack differed slightly from Rowhammer in that it relies on the Flip Feng Shui exploitation technique. A Flip Feng Shui exploitation technique carefully selects the sizes of the portion of memory where dynamically allocated memory resides (heap). Next, the Rowhammer attack targets that portion of memory which can “flip” – or change the state of adjacent memory bits – creating circumstances ripe for memory manipulation. Those bit flips could include simply changing a 0-to-1 or 1-to-0, according to researchers.
The latest variant, RAMpage, works in similar ways. It targets an Android’s universal generic memory management system called ION introduced by Google in 2011 as part of Android 4.0. It’s part of a subsystem used to manage and allocate memory. An attack consists of a write and refresh request on the device’s RAM until it flips a bit in an adjacent row. This opens the door to the device compromise.
The prerequisite for a likely attack is a user installing an unprivileged app capable of carrying out the attack. “We consider an attacker with full control over a zero-permissions holding, unprivileged Android app that is running on the victim’s device,” researchers wrote.
The good news is the researchers have also released a tool called Guardion, a software-based mitigation against rampage attacks. “It prevents an attacker from modifying critical datastructures by carefully enforcing a novel isolation policy,” researchers wrote. “Although Guardion is not deployed in operating systems yet, there are ongoing efforts to realize this. The source code for Guardion is available online in the form of Android kernel patch.” Currently the patch is not widely available and only tested for Google Pixel, running Android 7.1.1 (Nougat).
RAMpage researchers credited for the discovery include Victor van der Veen, Martina Lindorfer, Yanick Fratantonio, Harikrishnan Padmanabha Pillai, Giovanni Vigna, Christopher Kruegel, Herbert Bos, and Kaveh Razavi. Universities include Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara and the French graduate school Eurecom.