DRAM Rowhammer Allows Hackers to Gain Kernel Privileges
Google’s “Project Zero” security initiative is bearing fruit, unearthing security issues we’ve never seen before, in hopes of getting them patched before the hacking community can begin to exploit them. In this instance, the hack has nothing to do with software, but with RAM, making it an exceptionally dangerous, exotic bug.
The technique, dubbed “Rowhammer” by Yoongu Kim in a paper titled “Flipping Bits in Memory Without Accessing Them,” should be considered an unintended side effect of accessing memory, rather than a proper bug. It relies on the physical structure of certain DRAM chips, the memory components of which are arrayed in rows. By repeatedly accessing one “row” of memory, you can sometimes alter an adjacent row. In other words, hammer one row of memory, and you can disturb and adjacent region, thus, its name.
As the title of this piece indicates, when done correctly, it can allow a hacker to gain kernel privileges, essentially giving them run of the entire machine.
Google’s Project Zero team tested a variety of laptops built between 2010 and 2014, using an assortment of DDR3 DRAM chips and found the vulnerability to be present in 15 of the 29 tested. Their report can be found here.
Manufacturers of these devices were aware of the problem but failed to report it or notify the public and instead regarded it as a simple reliability issue. The Google team, however, found a way to exploit the “reliability issue” to gain control of the machine. Their conclusion is that if the companies manufacturing these machines with “reliability issues” been more forthcoming, more attention would have been paid to the problem sooner and a patch or fix found. As it stands, they assumed that it would be too exotic and difficult to exploit.
One Bright Spot
The good news in this case is that DDR4 DRAM chips are not vulnerable to Rowhammer style attacks. The bad news is that there are a number of machines in service today, built between 2010 and 2014 using potentially-vulnerable DDR3 DRAM.
How Dangerous Is it?
It should be noted that the Google team was only able to gain kernel privileges using extraordinary techniques and exploits. This is not to say that it would be impossible for a determined hacker to do likewise, but in terms of threat level, this has to be regarded as fairly low. Is it cause for concern? Absolutely yes, because if such an attack were to succeed on your system a hacker could gain total control.
The best way to reduce your exposure to zero is to upgrade to DDR4 DRAM. Is it likely to be exploited? That is impossible to say, but the odds seem low. It is not outside the realm of possibility, but bugs like FREAK and Heartbleed from several months ago represent a much greater, more immediate threat and should be handled with greater urgency.
Kudos to the Google Project Zero team for bringing another security flaw to light. This one might not be as dire as some of the others we’ve seen in recent months, but it still bears further investigation.