Rowhammer

Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures.

The term Rowhammer is used to describe a security exploit that takes advantage of the fact that hardware vendors, in the chase for bigger memories and smaller-sized components, are cramming too many memory cells together on the same boards.

Researchers discovered that an attacker could bombard RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge, which inherently modifies the stored data bits from 1 to 0 and vice-versa, altering the information stored in a computer's memory.

Attackers can use this attack to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.

Rowhammer attacks can cause a lot of damage

Details about Rowhammer attack came to light in 2014, and newer research on the topic has been published on a steadily basis ever since. Researchers discovered that:

⊷ Rowhammer attacks work against DDR3 and DDR4 memory cards
⊷ they can use carry out Rowhammer attacks via mundane JavaScript and not necessarily via specialized malware
⊷ they could take over Windows machines by attacking Edge with a Rowhammer attack
⊷ they could use Rowhammer to take over Linux-based virtual machines installed in cloud hosting providers
⊷ they could use a Rowhammer attack to root Android devices

The wide range of attacks and intensive research into this topic has cause hardware vendors to react, and they slowly introduced various countermeasures:

⌁ Monitoring CPU performance counters for frequent accesses to DRAM cells
⌁ Monitoring memory access patterns for  unusual high-frequency accesses of memory cells in the same DRAM bank
⌁ Static analysis of binary code for common Rowhammer code
⌁ Preventing abuse of memory exhaustion pages
⌁ User and kernel memory cells are physically isolated through the memory allocator, preventing Rowhammer attack code from affecting kernel memory pages

The obsession with the attacks has even led Intel to revamp a part of its CPU architecture to prevent the Rowhammer and similar side-channel attacks.

New Rowhammer attack variation published

Now, in a new paper published on Monday, some researchers who worked on previous Rowhammer exploits say they found a way to launch attacks capable of bypassing all recent mitigations put in place by hardware vendors.

The trick, according to researchers, is to narrow down the Rowhammer data bombardment to one single row of memory cells, instead of multiple locations.

"We do not hammer multiple DRAM rows but only keep one DRAM row constantly open," researchers explain. "Our new exploitation technique [...] bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries."

"With a slow-down factor of only 3.3, it is still on par with previous (now mitigated) techniques," the team said, pointing out that this new attack will take more time to carry out that before.

According to test results, a revised Rowhammer attack can take between 44.4 to 137.8 hours, but this shouldn't be a problem if an attacker targets online servers and cloud providers, most of which have 99.9% uptime.

Rowhammer attack time

Researchers use Rowhammer to bypass Intel SGX

In a test for their paper, researchers said they abused Intel SGX (Software Guard Extensions) — a security feature of Intel processors — "to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible."

The new revised Rowhammer attack is still capable of carrying out denial-of-service attacks on cloud environments, but also for privilege escalation on personal computers.

More details are available in a research paper entitled "Another Flip in the Wall of Rowhammer Defenses."

Earlier this year, another team of researchers showed that an attacker could also carry out a Rowhammer-like attack on SSD drives as well. The attack is not identical or related but uses the same principles behind Rowhammer.