Serious Rowhammer Attacks Can Now Be Carried Out Remotely

Serious Rowhammer Attacks Can Now Be Carried Out Remotely

Over the last few years, we’ve seen an increasing number of hacks and exploits targeting fundamental properties of underlying hardware, rather than relying on software vulnerabilities. One such attack, Rowhammer, targets specific areas of memory and then hammers adjacent rows in an attempt to cause a bit flip in the target area. It’s a serious vulnerability, one that’s difficult to completely address, but it used to have a weakness: local access. All previously known Rowhammer attack methods required privilege escalation, which means the attacker had to have already found and exploited a weakness within the system. Unfortunately, that’s no longer true. Researchers have found that you can trigger a Rowhammer attack using network packets.

The reason Rowhammer attacks can now be launched remotely is because networks are fast enough to support the attack vector. In order to make Rowhammer work, you need to rapidly pound the same row of memory (and here’s a more in-depth explanation of how Rowhammer works). The authors write:

Modern NICs are able to transfer large amounts of network traffic to remote memory. In our experimental setup, we observed bit flips when accessing memory 560,000 times in 64 ms, which translates to 9 million accesses per second. Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory.

Rowhammer targets either the single purple row to flip the yellow bits or can target both yellow rows to flip the purple bits.
Rowhammer targets either the single purple row to flip the yellow bits or can target both yellow rows to flip the purple bits.

Now, this might seem hilarious, given how few people actually have access to 10GigE, but there’s more risk than one might think at first glance. As compute workloads move to the cloud, we’re effectively centralizing more data in large installations — installations that have access to, and can sustain 10GigE transfer rates. The question of whether centralizing such data repositories with companies like Amazon and Microsoft is better or worse than keeping data locally in house depends on how good your security team is and what kind of protections they implement. But according to the team at VU Amsterdam and the University of Cyprus, it’s possible to launch Rowhammer attacks using a commodity 10Gbps network and RDMA (Remote Direct Memory Access, used for high-speed, low-latency networking). These types of networks are also present in corporations, universities, and other organizations — 10GigE is vanishingly rare in personal computing, but more common elsewhere.

As clocks and performance improved, exploits became possible.
As clocks and performance improved, exploits became possible.

I don’t want to overdraw the comparison between Rowhammer and Spectre/Meltdown, but if you’re thinking that this represents another class of attacks that works in part because of performance improvements we’ve integrated into silicon, well, you wouldn’t be wrong. Reading DMA buffers quickly enough allows Rowhammer to launch attacks at memory space outside the protected DMA buffers, thereby compromising remote memcached servers without relying on any software bugs.

The team notes that our existing Rowhammer defenses simply aren’t strong enough to guard against these types of attacks. ECC and Targeted Row Refresh are not foolproof, software defenses like ANVIL rely on performance counters that aren’t used for DMA access, and CATT only protects user-space attacks. It is possible to defend against this attack, however — it just requires a new approach to the problem. By constructing “guard zones” around the memory space allocated for DMA buffers, the Rowhammer attack can be mitigated against.

The team has built a tool to test for bit flips in a target system to check how vulnerable it is to this attack method, dubbed Throwhammer, and expect to make it publicly available in the near future. The full results of their testing and mitigation evaluation are available here.

Continue reading

Plex Media Servers Being Used to Amplify DDoS Attacks
Plex Media Servers Being Used to Amplify DDoS Attacks

The researchers claim that a Plex server, properly utilized, can increase the size of DDoS packets by almost five times, making these attacks much more damaging. There's not much Plex users can do about it right now, either.

Cyberpunk Developer Hit with Ransomware Attack
Cyberpunk Developer Hit with Ransomware Attack

The perpetrators claim to have swiped source code to the company's games, as well as embarrassing internal documents. All will be released unless CDPR pays up, which it says it isn't going to do.

Apple Files Lawsuit Against NSO Group for its Pegasus Spyware Attacks
Apple Files Lawsuit Against NSO Group for its Pegasus Spyware Attacks

Apple has announced a lawsuit against NSO Group and its parent company over its Pegasus spyware, seeking to prevent the group from using any of Apple's services and hardware in the future.

Nvidia Hit by Possible Cyber Attack
Nvidia Hit by Possible Cyber Attack

Reports indicate the attack began at the same time as the Russian incursion into Ukraine.