Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Rowhammer Attack Bypasses Existing Defenses

A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.

A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.

In a newly published paper (PDF), eight researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide reveal attack methods that can allegedly bypass even a combination of defenses against Rowhammer.

In March 2015, Google demonstrated that the Rowhammer bug affects some dynamic random-access memory (DRAM) chips and can be exploited to gain kernel privileges on Linux systems. Although initially discovered in 2012, the issue was not documented until 2014.

Memory cells, which are arranged in a grid pattern of rows and columns, are smaller and placed closer together in newer DRAM chips, which have become smaller in size. Thus, it is more difficult to prevent cells from electrically interacting with each other, and repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.

In July 2015, a team of researchers from Austria and France demonstrated that Rowhammer can be exploited remotely using JavaScript. Although the researchers hadn’t developed a full root exploit at the time, they did warn that malicious actors could adapt Rowhammer exploits to gain root privileges.

Late last year, a team of researchers proposed two software-based mitigation techniques, claiming that they can even work against single-sided attacks. One is a bootloader extension to detect and disable vulnerable memory, while the other ensures that there is at least one raw of memory between the row controlled by the attacker and the row storing the targeted data.

The newly published research paper proposes a novel attack technique called one-location hammering, which doesn’t target multiple DRAM rows, but focuses on keeping only one DRAM row constantly open. The exploitation technique, opcode flipping, can bypass isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries, the researchers say.

“We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker chosen physical locations,” the researchers explain.

By abusing Intel SGX, the team also managed to hide the attack from the user and the operating system, thus evading all detection attempts. According to the paper, the abused Rowhammer enclave can be leveraged both for denial of service attacks in the cloud and for privilege escalation on personal computers.

The new method, the paper reveals, can evade all existing defenses, including static analysis, monitoring of CPU performance counters, monitoring of unusual high-frequency memory access patterns, preventing abuse of memory exhaustion, and using memory allocator to physically isolate user and kernel memory cells.

Related: Researchers Propose Software Mitigations for Rowhammer Attacks

Related: Researchers Show DRAM “Rowhammer” Bug Can Be Exploited Remotely

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.