How to get superuser status using DRAM vulnerability: Rowhammer technique

Information security researchers from Google have created an exploit that exploits the physical weaknesses of certain types of DDR memory chips to enhance the rights of non-trusted users on Intel-compatible computers running Linux.

In a post on the Project Zero project blog, Google specialists described a technique for exploiting a vulnerability, which is to change the values ​​of individual data bits (bit flipping) stored in DDR3 chip modules, which are called DIMMs. Last year, researchers proved that such a substitution of bits can be accomplished by influencing small areas of memory, which leads to changes in the data stored there. Google representatives showed how all this can be used for a real attack.
')

“The most impressive thing here is the fact that we are witnessing how a completely analog problem at the hardware manufacturer level can be used to attack software. [...] Simply put, the exploit just jumps over several levels of the stack, ”says David Kanter, editor-in-chief of the Microprocessor Report.

How it works

DDR memory is an array of rows and columns, which are divided into blocks used by different applications and the operating system. To ensure the safety and integrity of the entire system, there is a sandbox in every large area of ​​memory that only a certain application or operating system process has access to.

A hacker can launch a program that will turn to specific rows of such sections in a memory module thousands of times in a fraction of a second, as if “hammering” on them until electromagnetic radiation penetrates into the next memory section, which can lead to to changing the values ​​of bits in it from zero to one and vice versa. This technique is called Rowhammer .

The ability to influence the content of "forbidden" areas of memory can have far-reaching consequences. For example, in this way, users or applications that have limited system privileges can increase them up to unauthorized administrative control.

And this, in turn, will allow the attacker to run malicious code or intercept the actions of users or programs. The consequences of such an attack, for example, on servers in a data center that serve thousands of users, can lead to significant damage.

Everything is not so bad

Vulnerability is present only in newer types of DDR3 memory, since the DRAM cells in them are more compactly arranged, which facilitates the electromagnetic effect of one cell on another. The attack will not work in the case of new DDR4, which have the ability to correct the error code ( ECC ).

In addition, as noted by Dyadic Security expert Irene Abezgauz, for a variety of reasons, the attack developed by Google is currently more theoretical than practical.

Firstly, it can be implemented only locally, not remotely - this is a limitation that seriously reduces the possibility of using this technique by “ordinary” hackers. Secondly, for the implementation of technology Rowhammer need to make more than 540 thousand memory accesses in 64 milliseconds, which complicates hacking.

Google researchers in their publication do not name the manufacturers of computers or memory, whose products can be hacked using the developed exploit, or details of the percentage of successful attacks. However, the post contains a table with an anonymous listing of 29 memory modules and laptop models. Of these 29, only 15 were subject to a change in bit values. In addition, only 13% of the changes made bits led to the possibility of exploitation of the vulnerability.

Nevertheless, the ability to exploit the physical weaknesses of the hardware is a new type of computer attack, which is rather difficult to resist.

David Kanter of Microprocessor Report describes the problem like this:

This is not about software, where you can create a patch and distribute it through a system update in a couple of weeks to most users. Here, in order to truly cope with the problem, you need to replace the DRAM modules with billions of dollars. From a practical point of view, this is not feasible.