There is a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that can bypass defenses.
New attack methods can bypass a combination of defenses against Rowhammer, according to research by Daniel Gruss, Moritz Lipp, Michael Schwarz, Jonas Juffinger, and Wolfgang Schoechl from Graz University of Technology, Daniel Genkin from University of Pennsylvania and University of Maryland, and Sioli O’Connell from University of Adelaide and Yuval Yarom from University of Adelaide and Data61.
Back in March 2015, Google found the Rowhammer issue affects some dynamic random-access memory (DRAM) chips an attacker could leverage to gain kernel privileges on Linux systems. Although initially discovered in 2012, the issue was not documented until 2014.
Memory cells, which are arranged in a grid pattern of rows and columns, are smaller and placed closer together in newer DRAM chips, which have become smaller in size. Thus, it is more difficult to prevent cells from electrically interacting with each other, and repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.
Researchers late last year found two software-based mitigation techniques.
One was a bootloader extension to detect and disable vulnerable memory, while the other ensures there is one row of memory between the row controlled by the attacker and the row storing the targeted data.
“We present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective,” the researchers said in their paper on the subject.
“Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open,” the researchers said. “Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker- chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible.
“Our Rowhammer enclave can be used for coordinated denial- of-service attacks in the cloud and for privilege escalation on personal computers,” the researchers said. “We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.”