Connect with us

Hi, what are you looking for?



“Rowhammer” Flaw in DRAM Allows Privilege Escalation: Researchers

Researchers at Google’s Project Zero have demonstrated that a recently documented bug in some dynamic random-access memory (DRAM) chips can be exploited to gain kernel privileges on Linux systems.

Researchers at Google’s Project Zero have demonstrated that a recently documented bug in some dynamic random-access memory (DRAM) chips can be exploited to gain kernel privileges on Linux systems.

The flaw, dubbed “rowhammer,” has been known since at least 2012. However, the first time anyone discussed its security implications was in June 2014, when researchers at Carnegie Mellon University and Intel Labs published an experimental study on DRAM disturbance errors. Now, Google researchers have shown that the vulnerability is exploitable on Linux and possibly other systems for privilege escalation.

Memory cells are arranged in a grid pattern of rows and columns. DRAM chips have become smaller in size, but they have a larger capacity, which has been accomplished by making the cells smaller and placing them closer together.

The problem, according to experts, is that it has become more difficult to prevent cells from electrically interacting with each other. Researchers have demonstrated that repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.

Project Zero has developed two proof-of-concept exploits that leverage this technique, known as bit flips. The first exploit is designed to escalate privileges and escape Native Client (NaCl), a sandboxing system designed for executing compiled code in the browser efficiently and securely.

Google has addressed the issue in Chrome, but researchers said it could have been possible for a NaCl app in the Chrome Web Store to gain kernel privileges by chaining this flaw with a kernel privilege escalation vulnerability.

The second exploit developed by Google researchers runs as an unprivileged x86-64 process on Linux and uses rowhammer-induced bit flips to gain kernel privileges. Researchers believe the exploit could be adapted for other operating systems as well.

Advertisement. Scroll to continue reading.

“We don’t know for sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable,” Google software engineer Mark Seaborn said in a blog post. “Our exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM, but other techniques might work on non-x86 systems too.”

Experts have created a rowhammer testing application (for Linux and Mac OS X), which they have used to analyze a total of 29 x86 laptops with DDR3 DRAM. Roughly half of them exhibited rowhammer-induced bit flips, but the absence of bit flips in this test doesn’t necessarily prove that the devices are not vulnerable, researchers said.

Some DRAM vendors have started implementing rowhammer mitigations in their products, and Google noticed that some of the newer laptop models did not exhibit bit flips. Mitigations are present in LPDDR4 and the attack doesn’t appear to work against ECC (error-correcting code) memory.

ECC memory is capable of correcting single bit flips, but according to Errata Security’s Robert Graham, successful attacks might still be possible if the attacker can get multiple bit flips.

“By itself, this bug may not endanger you. However, it’s much more dangerous when used within conjunction with other bugs. Browsers have ‘sand boxes’ that keep hackers contained even if the first layer of defense breaks. This may provide a way of escaping the sand box (sandbox escape) when used in conjunction with other exploits,” Graham wrote in a blog post.

Google researchers believe that while hardware bugs are less common than software bugs, hardware vendors should not neglect the security impact of flaws that appear to be reliability issues.

“We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be ‘only’ reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to,” Seaborn noted.

Cisco has already started investigating some potentially vulnerable products, but the company has pointed out that they contain a number of hardware protections against rowhammer attacks, including ECC memory modules.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.