|Subject: [NYLXS - HANGOUT] DRAM exploit
check this out
Cutting-edge hack gives super user status by exploiting DRAM weakness
"Rowhammer" attack goes where few exploits have gone before, into
by Dan Goodin - Mar 10, 2015 3:01 am UTC
Enlarge / DDR3 DIMMs like this one are susceptible to a hack known as
"rowhammering," which alters the contents stored in computer memory.
Tobias b köhler
In one of more impressive hacks in recent memory, researchers have
devised an attack that exploits physical weaknesses in certain types of
DDR memory chips to elevate the system rights of untrusted users of
Intel-compatible PCs running Linux.
The technique, outlined in a blog post published Monday by Google's
Project Zero security initiative, works by reversing individual bits of
data stored in DDR3 chip modules known as DIMMs. Last year, scientists
proved that such "bit flipping" could be accomplished by repeatedly
accessing small regions of memory, a feat that—like a magician who
transforms a horse into a rabbit—allowed them to change the value of
contents stored in computer memory. The research unveiled Monday showed
how to fold such bit flipping into an actual attack.
"The thing that is really impressive to me in what we see here is in
some sense an analog- and manufacturing-related bug that is potentially
exploitable in software," David Kanter, senior editor of the
Microprocessor Report, told Ars. "This is reaching down into the
underlying physics of the hardware, which from my standpoint is cool to
see. In essence, the exploit is jumping several layers of the stack."
DDR memory is laid out in an array of rows and columns, which are
assigned in large blocks to various applications and operating system
resources. To protect the integrity and security of the entire system,
each large chunk of memory is contained in a "sandbox" that can be
accessed only by a given app or OS process. Bit flipping works when a
hacker-developed app or process accesses two carefully selected rows of
memory hundreds of thousands of times in a tiny fraction of a second. By
hammering the two "aggressor" memory regions, the exploit can reverse
one or more bits in a third "victim" location. In other words, selected
zeros in the victim region will turn into ones or vice versa.
The ability to alter the contents of forbidden memory regions has
far-reaching consequences. It can allow a user or application who has
extremely limited system privileges to gain unfettered administrative
control. From there, a hacker may be able to execute malicious code or
hijack the operations of other users or software programs. Such
elevation-of-privilege hacks are especially potent on servers available
in data centers that are available to multiple customers.
The vulnerability works only on newer types of DDR3 memory and is the
result of the ever smaller dimensions of the silicon. With less space
between each DRAM cell, it becomes increasingly hard to prevent one cell
from interacting electrically with its neighbors. By repeatedly
accessing one or more carefully selected memory locations, attackers can
exploit this volatility, causing the charge to leak into or out of
adjacent cells. With enough accesses, the technique can change the value
of a cell. The attack doesn't work against newer DDR4 silicon or DIMMs
that contain ECC, short for error correcting code, capabilities.
Mark Seaborn, described as a "sandbox builder and breaker," along with
reverse engineer Thomas Dullien, developed two "rowhammer" exploits
that, when run as unprivileged processes, were able to gain kernel
privileges on an x86-64 Linux system. The first exploit ran as a Native
Client module on top of Google Chrome. Once Google developers became
aware of the exploit, they disallowed the CLFLUSH instruction that's
required to make the exploit work. The second exploit, which ran as a
normal Linux process and gained access to all physical memory, will be
harder to mitigate on existing machines.
There are other things that made the exploits impressive. Irene
Abezgauz, a product VP at Dyadic Security and an experienced penetration
testing professional, told Ars:
The Project Zero guys took on the challenge of leveraging the
concept of rowhammer into an actual exploit. What's impressive is the
combination of lots of deep technical knowledge with quite a bit of
hacker creativity. What they did was create attack techniques in which
flipping just a single bit in a specific location allows them to execute
any code they want with root privileges or escape a sandbox. This is
impressive by itself, but they added to this quite a few creative
solutions to make it more likely to succeed in a real world scenario and
not just in the lab. They figured out ways for better targeting of the
specific locations in memory they needed to flip, improved the chances
of the attack to succeed by creating ("spraying") multiple locations
where a flipped bit would make the right impact, and came up with
several ideas to leverage this into actual privileged code execution.
This combination makes for one of the coolest exploits I've seen in a
The attackers didn't identify the specific models of DDR3 that are
susceptible to the attack. While their proof-of-concept exploits
targeted a Linux computer running x86-64 hardware, the same technique
would likely work against a variety of platforms.
The results are impressive, but for a variety of reasons right now, the
attacks appear to be more theoretical than practical. For one, the
attack appears to allow only local, rather than remote, exploitation, a
limitation that significantly curtails its appeal to real-world hackers.
And for another, bit flipping works only against certain pre-determined
rows. What's more, rowhammering requires more than 540,000 memory
accesses in just 64 milliseconds. Unless refinements are made, the
demands could make it impractical for attackers to use the technique to
reliably hijack a system.
Bit flipping shouldn't be mistaken as a class of memory corruption
exploit, such as a buffer overflow or a use-after-free, both of which
allow attackers to funnel malicious shell code into protected regions of
a computer. Rowhammering, by contrast, allows for escalation of
privileges, which while serious, is a much more nuanced type of
incursion. Rob Graham, CEO of Errata Security, published this blog post
that details additional challenges and technical details.
Still, the ability to exploit physical weaknesses in the hardware is a
highly novel type of attack that breaks new ground and may not be easy
"This is not like software, where in theory we can go patch the software
and get a patch distributed via Windows update within the next two to
three weeks," Kanter, of the Microprocessor Report, said. "If you want
to actually fix this problem, we need to go out and replace, on a DIMM
by DIMM basis, billions of dollars' worth of DRAM. From a practical
standpoint that's not ever going to happen."