Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures.
The term Rowhammer is used to describe a security exploit that takes advantage of the fact that hardware vendors, in the chase for bigger memories and smaller-sized components, are cramming too many memory cells together on the same boards.
Researchers discovered that an attacker could bombard RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge, which inherently modifies the stored data bits from 1 to 0 and vice-versa, altering the information stored in a computer's memory.
Attackers can use this attack to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.
Details about Rowhammer attack came to light in 2014, and newer research on the topic has been published on a steadily basis ever since. Researchers discovered that:
The wide range of attacks and intensive research into this topic has cause hardware vendors to react, and they slowly introduced various countermeasures:
The obsession with the attacks has even led Intel to revamp a part of its CPU architecture to prevent the Rowhammer and similar side-channel attacks.
Now, in a new paper published on Monday, some researchers who worked on previous Rowhammer exploits say they found a way to launch attacks capable of bypassing all recent mitigations put in place by hardware vendors.
The trick, according to researchers, is to narrow down the Rowhammer data bombardment to one single row of memory cells, instead of multiple locations.
"We do not hammer multiple DRAM rows but only keep one DRAM row constantly open," researchers explain. "Our new exploitation technique [...] bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries."
"With a slow-down factor of only 3.3, it is still on par with previous (now mitigated) techniques," the team said, pointing out that this new attack will take more time to carry out that before.
According to test results, a revised Rowhammer attack can take between 44.4 to 137.8 hours, but this shouldn't be a problem if an attacker targets online servers and cloud providers, most of which have 99.9% uptime.
In a test for their paper, researchers said they abused Intel SGX (Software Guard Extensions) — a security feature of Intel processors — "to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible."
The new revised Rowhammer attack is still capable of carrying out denial-of-service attacks on cloud environments, but also for privilege escalation on personal computers.
More details are available in a research paper entitled "Another Flip in the Wall of Rowhammer Defenses."
Earlier this year, another team of researchers showed that an attacker could also carry out a Rowhammer-like attack on SSD drives as well. The attack is not identical or related but uses the same principles behind Rowhammer.