New Rowhammer Attack Bypassing Countermeasures

A new variation of the Rowhammer attack has been identified.

This attack is capable of bypassing all previous countermeasures, which can lead to personal systems being targeted. The aim of the attack is to achieve a privilege escalation or to target corporate cloud systems with denial of service attacks. The attack does, however, require access to the device via a low-level account from a previous exploit or other means.

The new variant of Rowhammer bombards single row of memory cells, instead of multiple locations. It is that change of method which allows the vulnerability to bypass all previous mitigations. The downside for the attacker is that the attack takes longer to complete.

A research paper published by experts from the Carnegie Mellon University and the Intel Labs provides a detailed analysis of the techniques to exploit the Rowhammer issue.

“We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. -induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” read the post published by Google’s Project Zero.

“When run on a machine vulnerable to the Rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.”

Experts Project Zero published the “Program for testing for the DRAM “Rowhammer” problem” on Github.

Affected Platforms:

Dynamic Random Access Memory (DRAM)

Resolution:

There is currently no work around available.

Monitor logs on cloud networks to detect anomalies that could indicate a DoS attack is being attempted.

Monitor for development of new countermeasures being released.