International academic researchers discovered a new variant of the Rowhammer attack,which they named asRAMBleed,that can be performed even if a system is patched against Rowhammer. The unfamiliar attack of this RAMBleed is that it targets devices to steal information, contrary to other Rowhammer attacks that alter existing data or elevate an attacker’s privileges. As many malicious hackers have been previously using malware trojans to exploit attacks, they found out this new way of stealing data where anti-malware programs could not stop them in doing their malicious business.
A researcher from Google has already discovered the first Rowhammer attack which revealed to have an innovative technique for exploiting computer memory to gain kernel-level system privileges. This highlights the growing fear that application security controls may be rendered useless if underlying hardware is vulnerable. For how many years, vendors have already been aware of the Rowhammer DRAM flaw, and researchers had thought a reliable exploit attack that was almost impossible.But a new proof-of-concept could have wide implications for enterprise hardware.
Rowhammer is a vulnerability in commodity dynamic random access memory (DRAM) chips that allows an attacker to exploit devices with DRAM. Rowhammer exploits a bug in the DRAM by repeatedly accessing or hammering a row of memory until it causes bit flips and transistors in adjacent rows of memory to reverse their binary state, ones turn into zeros and vice versa.This vulnerability can even be exploited via JavaScript which allows an attacker to escape a web browser’s security sandbox and gain access to the system.
Researchers tested a selection of laptops and found out that a subset of them exhibited the problem. They built two working privilege escalation exploits that use this effect, with one exploit uses rowhammerinduced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
RAMBleed, which is a new variant of Rowhammer attack, is a side-channel attack that enables an attacker to read out physical memory belonging to other processes.A side-channel attack (SCA) is a security exploit that involves collecting informationabout what a computing device does when it is performing cryptographic operations and using that information to reverse engineer the device’s cryptography system.Violating arbitrary privilege boundaries causes numerous implications which vary in severity based on the other software running on the target machine.
Researchers found out that by reading the data stored on one row over and over again, they could create an electrical charge that would alter the data stored in nearby memory rows. By using row hammering, these could either cause data corruption or manipulate data in malicious ways.
Researchers said in a statement that as the physical memory is shared among all process in the system, this puts all processes at risk. While the end-to-end attack they demonstrated read out OpenSSH 7.9’s RSA key, RAMBleed can potentially read any data stored in memory. In practice, what can be read depends on the victim program’s memory access patterns.
Researchers never expect that RAMBleed has ever been exploited in the wild, but they said that the only way to mitigate the risk of attack is to upgrade to DDR4 memory with targeted row refresh (TRR) enabled.