The Rowhammer – the evolution of a dangerous attack over the years

Back in 2015, security researchers at Google’s Project Zero team demonstrated how to hijack an Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.

The attack technique devised by the experts was dubbed “Rowhammer,” its exploitation could allow attackers to obtain higher kernel privileges on the target system.

The Rowhammer issue is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

A research paper published by experts from the Carnegie Mellon University and the Intel Labs provides a detailed analysis of the techniques to exploit the Rowhammer issue.

“We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. -induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” read the post published by Google’s Project Zero.

“When run on a machine vulnerable to the Rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.”

To understand the way an attacker could exploit the Rowhammer issue, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are allocated to different services and applications.

A “sandbox” protection mechanism is implemented (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ccrOTI3nItI/