Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Rowhammer Attack Bypasses Existing Defenses

A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.

A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.

In a newly published paper (PDF), eight researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide reveal attack methods that can allegedly bypass even a combination of defenses against Rowhammer.

In March 2015, Google demonstrated that the Rowhammer bug affects some dynamic random-access memory (DRAM) chips and can be exploited to gain kernel privileges on Linux systems. Although initially discovered in 2012, the issue was not documented until 2014.

Memory cells, which are arranged in a grid pattern of rows and columns, are smaller and placed closer together in newer DRAM chips, which have become smaller in size. Thus, it is more difficult to prevent cells from electrically interacting with each other, and repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.

In July 2015, a team of researchers from Austria and France demonstrated that Rowhammer can be exploited remotely using JavaScript. Although the researchers hadn’t developed a full root exploit at the time, they did warn that malicious actors could adapt Rowhammer exploits to gain root privileges.

Late last year, a team of researchers proposed two software-based mitigation techniques, claiming that they can even work against single-sided attacks. One is a bootloader extension to detect and disable vulnerable memory, while the other ensures that there is at least one raw of memory between the row controlled by the attacker and the row storing the targeted data.

The newly published research paper proposes a novel attack technique called one-location hammering, which doesn’t target multiple DRAM rows, but focuses on keeping only one DRAM row constantly open. The exploitation technique, opcode flipping, can bypass isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries, the researchers say.

“We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker chosen physical locations,” the researchers explain.

By abusing Intel SGX, the team also managed to hide the attack from the user and the operating system, thus evading all detection attempts. According to the paper, the abused Rowhammer enclave can be leveraged both for denial of service attacks in the cloud and for privilege escalation on personal computers.

The new method, the paper reveals, can evade all existing defenses, including static analysis, monitoring of CPU performance counters, monitoring of unusual high-frequency memory access patterns, preventing abuse of memory exhaustion, and using memory allocator to physically isolate user and kernel memory cells.

Related: Researchers Propose Software Mitigations for Rowhammer Attacks

Related: Researchers Show DRAM “Rowhammer” Bug Can Be Exploited Remotely

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.