Five academics from the Vrije University in Amsterdam and one from the University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards.

Their discovery makes Rowhammer attacks easier and much more convenient to launch, as an attacker only needs to bombard a victim's network card with specially-crafted packets.

This is much simpler than previous Rowhammer attacks that required that the attacker infected the victim with malware or tricked victims into accessing malicious websites, where they'd load the Rowhammer attack code hidden inside the site's JavaScript.

Researchers named their new Rowhammer attack method Throwhammer, which they've detailed today in a research paper entitled "Throwhammer: Rowhammer Attacks over the Network and Defenses."

Throwhammer is Rowhammer via network cards

Some might argue that Throwhammer shouldn't be possible in the first place. Rowhammer attacks —which are at the base of Throwhammer— work by leaking memory addresses and then hammering a row of memory cells to induce 0/1 bit flips in nearby memory cells, and hence, modify data stored inside a computer's RAM.

Throwhammer is possible because data sent to a network card is cached inside the RAM, hence producing the same effect.

But not all network cards can handle the large amount of incoming traffic needed to cause Rowhammer bit flips. Researchers say that only RDMA-enabled network cards are vulnerable.

RDMA stands for Remote Direct Memory Access, a technology that exposes a computer's memory directly over a network without involving the CPU and the machine's OS, hence being able to process more packets than older network cards.

RDMA-enabled network cards are a common occurrence in large computer clusters, and especially in cloud computing data centers.

Network bandwidth not a dealbreaker for Throwhammer

"Modern NICs are able to transfer large amounts of network traffic to remote memory. In our experimental setup, we observed bit flips
when accessing memory 560,000 times in 64 ms, which translates to 9 million accesses per second," researchers wrote in the Throwhammer paper.

"Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory," researchers said, pointing out that an attacker doesn't necessarily need a fast network connection to carry out the attack, but only the presence of an RDMA-enabled network card.

For the experimental part of their paper, researchers say they were able to cause bit flips in a remote Memcached server just by using network packets (the Throwhammer attack) and without needing any user actions (as was required with the classical Rowhammer).

Throwhammer can be mitigated

"To our knowledge, this is the first reported case of a Rowhammer attack over the network," researchers said. However, the Throwhammer attack is not something that any cloud provider will add at the top of its threat list.

The attack is highly theoretical, and it needs many special conditions and lots of work to craft Throwhammer network packages that would induce very precise bit flips to further execute even more precise commands on remote cloud servers or personal computers. This puts such an attack out of range for many threat actors.

Furthermore, researchers argue that cloud providers could easily protect against these attacks by putting special "guard zones" around the memory addresses where the RDMA buffer/cache is usually written, hence preventing bit flips from affecting any sensitive information.

Nonetheless, compared to previous Rowhammer attacks, Throwhammer is by far the most dangerous of them all, mainly due to its no-user-interaction-needed modus operandi. Previous research on the topic include discoveries like:

⊷ Rowhammer attacks work against DDR3 and DDR4 memory cards
⊷ Rowhammer attacks can be executed via mundane JavaScript and not necessarily via specialized malware
⊷ Rowhammer attacks can take over Windows machines by attacking the Edge browser
⊷ Rowhammer attacks can take over Linux-based virtual machines installed in cloud hosting providers
⊷ Rowhammer attacks can root Android devices
⊷ Researchers bypassed bypass Rowhammer protections put in place after the disclosure of the first attacks
⊷ Rowhammer attacks can be launched with the help of GPU cards

Image credits: Disney, Marvel Studios

Related Articles:

New Attack Recovers RSA Encryption Keys from EM Waves Within Seconds

Skim Reaper Device Detects Wide Range of Skimmer Devices