Serious Rowhammer Attacks Can Now Be Carried Out Remotely – ExtremeTech


This website could earn affiliate commissions from the hyperlinks on this web page. Terms of use.

Over the previous few years, we’ve seen an growing variety of hacks and exploits concentrating on elementary properties of underlying {hardware}, relatively than counting on software program vulnerabilities. One such assault, Rowhammer, targets particular areas of reminiscence after which hammers adjoining rows in an try to trigger a bit flip within the goal space. It’s a critical vulnerability, one which’s troublesome to utterly deal with, nevertheless it used to have a weak spot: native entry. All beforehand identified Rowhammer assault strategies required privilege escalation, which implies the attacker needed to have already discovered and exploited a weak spot inside the system. Sadly, that’s now not true. Researchers have discovered you could set off a Rowhammer assault utilizing community packets.

The rationale Rowhammer assaults can now be launched remotely is as a result of networks are quick sufficient to help the assault vector. With a purpose to make Rowhammer work, that you must quickly pound the identical row of reminiscence (and right here’s a extra in-depth clarification of how Rowhammer works). The authors write:

Trendy NICs are capable of switch giant quantities of community site visitors to distant reminiscence. In our experimental setup, we noticed bit flips when accessing reminiscence 560,000 occasions in 64 ms, which interprets to 9 million accesses per second. Even common 10 Gbps Ethernet playing cards can simply ship 9 million packets per second to a distant host that find yourself being saved on the host’s reminiscence.



Rowhammer targets both the only purple row to flip the yellow bits or can goal each yellow rows to flip the purple bits.

Now, this may appear hilarious, given how few folks even have entry to 10GigE, however there’s extra danger than one would possibly suppose at first look. As compute workloads transfer to the cloud, we’re successfully centralizing extra knowledge in giant installations — installations which have entry to, and may maintain 10GigE switch charges. The query of whether or not centralizing such knowledge repositories with firms like Amazon and Microsoft is best or worse than preserving knowledge domestically in home depends upon how good your safety workforce is and what sort of protections they implement. However based on the workforce at VU Amsterdam and the College of Cyprus, it’s attainable to launch Rowhammer assaults utilizing a commodity 10Gbps community and RDMA (Distant Direct Reminiscence Entry, used for high-speed, low-latency networking). These kinds of networks are additionally current in firms, universities, and different organizations — 10GigE is vanishingly uncommon in private computing, however extra widespread elsewhere.


As clocks and efficiency improved, exploits turned attainable.

I don’t need to overdraw the comparability between Rowhammer and Spectre/Meltdown, however for those who’re pondering that this represents one other class of assaults that works partially due to efficiency enhancements we’ve built-in into silicon, nicely, you wouldn’t be improper. Studying DMA buffers shortly sufficient permits Rowhammer to launch assaults at reminiscence house outdoors the protected DMA buffers, thereby compromising distant memcached servers with out counting on any software program bugs.

READ ALSO:  Nvidia Has Canceled the GeForce Partner Program - ExtremeTech

The workforce notes that our present Rowhammer defenses merely aren’t robust sufficient to protect in opposition to a lot of these assaults. ECC and Focused Row Refresh aren’t foolproof, software program defenses like ANVIL depend on efficiency counters that aren’t used for DMA entry, and CATT solely protects user-space assaults. It’s attainable to defend in opposition to this assault, nevertheless — it simply requires a brand new method to the issue. By developing “guard zones” across the reminiscence house allotted for DMA buffers, the Rowhammer assault might be mitigated in opposition to.

The workforce has constructed a device to check for bit flips in a goal system to verify how susceptible it’s to this assault methodology, dubbed Throwhammer, and count on to make it publicly out there within the close to future. The total outcomes of their testing and mitigation analysis can be found right here.



You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *