Five academics from the Vrije University in Amsterdam and one from the University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards.
Their discovery makes Rowhammer attacks easier and much more convenient to launch, as an attacker only needs to bombard a victim's network card with specially-crafted packets.
Researchers named their new Rowhammer attack method Throwhammer, which they've detailed today in a research paper entitled "Throwhammer: Rowhammer Attacks over the Network and Defenses."
Some might argue that Throwhammer shouldn't be possible in the first place. Rowhammer attacks —which are at the base of Throwhammer— work by leaking memory addresses and then hammering a row of memory cells to induce 0/1 bit flips in nearby memory cells, and hence, modify data stored inside a computer's RAM.
Throwhammer is possible because data sent to a network card is cached inside the RAM, hence producing the same effect.
But not all network cards can handle the large amount of incoming traffic needed to cause Rowhammer bit flips. Researchers say that only RDMA-enabled network cards are vulnerable.
RDMA stands for Remote Direct Memory Access, a technology that exposes a computer's memory directly over a network without involving the CPU and the machine's OS, hence being able to process more packets than older network cards.
RDMA-enabled network cards are a common occurrence in large computer clusters, and especially in cloud computing data centers.
"Modern NICs are able to transfer large amounts of network traffic to remote memory. In our experimental setup, we observed bit flips
when accessing memory 560,000 times in 64 ms, which translates to 9 million accesses per second," researchers wrote in the Throwhammer paper.
"Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory," researchers said, pointing out that an attacker doesn't necessarily need a fast network connection to carry out the attack, but only the presence of an RDMA-enabled network card.
For the experimental part of their paper, researchers say they were able to cause bit flips in a remote Memcached server just by using network packets (the Throwhammer attack) and without needing any user actions (as was required with the classical Rowhammer).
"To our knowledge, this is the first reported case of a Rowhammer attack over the network," researchers said. However, the Throwhammer attack is not something that any cloud provider will add at the top of its threat list.
The attack is highly theoretical, and it needs many special conditions and lots of work to craft Throwhammer network packages that would induce very precise bit flips to further execute even more precise commands on remote cloud servers or personal computers. This puts such an attack out of range for many threat actors.
Furthermore, researchers argue that cloud providers could easily protect against these attacks by putting special "guard zones" around the memory addresses where the RDMA buffer/cache is usually written, hence preventing bit flips from affecting any sensitive information.
Nonetheless, compared to previous Rowhammer attacks, Throwhammer is by far the most dangerous of them all, mainly due to its no-user-interaction-needed modus operandi. Previous research on the topic include discoveries like:
Image credits: Disney, Marvel Studios