Serious Rowhammer Attacks Can Now Be Carried Out Remotely

Serious Rowhammer Attacks Can Now Be Carried Out Remotely

Over the last few years, we’ve seen an increasing number of hacks and exploits targeting fundamental properties of underlying hardware, rather than relying on software vulnerabilities. One such attack, Rowhammer, targets specific areas of memory and then hammers adjacent rows in an attempt to cause a bit flip in the target area. It’s a serious vulnerability, one that’s difficult to completely address, but it used to have a weakness: local access. All previously known Rowhammer attack methods required privilege escalation, which means the attacker had to have already found and exploited a weakness within the system. Unfortunately, that’s no longer true. Researchers have found that you can trigger a Rowhammer attack using network packets.

The reason Rowhammer attacks can now be launched remotely is because networks are fast enough to support the attack vector. In order to make Rowhammer work, you need to rapidly pound the same row of memory (and here’s a more in-depth explanation of how Rowhammer works). The authors write:

Modern NICs are able to transfer large amounts of network traffic to remote memory. In our experimental setup, we observed bit flips when accessing memory 560,000 times in 64 ms, which translates to 9 million accesses per second. Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory.

Rowhammer targets either the single purple row to flip the yellow bits or can target both yellow rows to flip the purple bits.
Rowhammer targets either the single purple row to flip the yellow bits or can target both yellow rows to flip the purple bits.

Now, this might seem hilarious, given how few people actually have access to 10GigE, but there’s more risk than one might think at first glance. As compute workloads move to the cloud, we’re effectively centralizing more data in large installations — installations that have access to, and can sustain 10GigE transfer rates. The question of whether centralizing such data repositories with companies like Amazon and Microsoft is better or worse than keeping data locally in house depends on how good your security team is and what kind of protections they implement. But according to the team at VU Amsterdam and the University of Cyprus, it’s possible to launch Rowhammer attacks using a commodity 10Gbps network and RDMA (Remote Direct Memory Access, used for high-speed, low-latency networking). These types of networks are also present in corporations, universities, and other organizations — 10GigE is vanishingly rare in personal computing, but more common elsewhere.

As clocks and performance improved, exploits became possible.
As clocks and performance improved, exploits became possible.

I don’t want to overdraw the comparison between Rowhammer and Spectre/Meltdown, but if you’re thinking that this represents another class of attacks that works in part because of performance improvements we’ve integrated into silicon, well, you wouldn’t be wrong. Reading DMA buffers quickly enough allows Rowhammer to launch attacks at memory space outside the protected DMA buffers, thereby compromising remote memcached servers without relying on any software bugs.

The team notes that our existing Rowhammer defenses simply aren’t strong enough to guard against these types of attacks. ECC and Targeted Row Refresh are not foolproof, software defenses like ANVIL rely on performance counters that aren’t used for DMA access, and CATT only protects user-space attacks. It is possible to defend against this attack, however — it just requires a new approach to the problem. By constructing “guard zones” around the memory space allocated for DMA buffers, the Rowhammer attack can be mitigated against.

The team has built a tool to test for bit flips in a target system to check how vulnerable it is to this attack method, dubbed Throwhammer, and expect to make it publicly available in the near future. The full results of their testing and mitigation evaluation are available here.

Continue reading

Verizon to Begin Carrier-Locking Its Smartphones Again
Verizon to Begin Carrier-Locking Its Smartphones Again

Verizon has announced that it will begin locking phones again, at least until they're activated. Verizon says this is to combat device theft, but it seems like Verizon just wants an excuse to lock its phones down again.

Your Cell Carrier Is Selling Your Location Data
Your Cell Carrier Is Selling Your Location Data

You can thank the shady world of data aggregators for this potentially egregious violation of your privacy.

South Korean Carrier Will Start Selling the iPhone 3GS Again
South Korean Carrier Will Start Selling the iPhone 3GS Again

Customers will be able to pick up a brand new decade-old iPhone for just 44,000 won (about $41), no contract required.

OnePlus Plans 5G Phone for 2019, Possible US Carrier Deals
OnePlus Plans 5G Phone for 2019, Possible US Carrier Deals

CEO and co-founder Pete Lau says the Chinese company is looking into deals with US carriers as well as rolling out its first 5G phone.