RAMBleed

RAMBleed denotes a side-channel attack against neighboring cells of a semiconductor memory module , whereby bits in the main memory ( DRAM ) can also be read from external processes. This enables an attacker, by previously changing certain bits, e.g. B. to circumvent safety precautions. A Rowhammer attack changes bits in the victim's memory. Specifically, it changes the charge of the storage cell. RAMBleed, on the other hand, does not misuse the Rowhammer attack for writing, but for reading out memory cells. Because the physical memory is shared by all processes in the system, all processes are at risk. The first such attack became known to the general public in June 2019 by Andrew Kwong, Daniel Genkin, Daniel Gruss and Yuval Yarom. The associated CVE number is CVE-2019-0174.

functionality

The increase in the capacity of semiconductor memories, which has been increasing for decades, despite the same semiconductor area, facilitates side-channel attacks. A RAMBleed attack is preceded by a rowhammer attack:

Semiconductor memories are physically organized in rows. To access it, the contents of a row are copied into a small buffer memory that is accessed. Only when another row is accessed is its status written back and the other row loaded into the row buffer. A processor uses the clflush command to specifically throw memory from its small intermediate memory, the cache. This means that the main memory has to read and write rows back just as often. If a memory cell is accessed very often in alternation with another cell, the main memory has to read and write rows so often. Electric fields in the rows accessed by an attacker interact with neighboring rows. The charge “leaks”, which can change the content of a neighboring cell. This leads to malfunctions such as the crash of programs or the operating system or, in the case of targeted attacks, to unauthorized access to the entire computer. In contrast to Rowhammer, RAMBleed does not require a constant charge change in storage cells. Therefore internal error correction (ECC) semiconductor memories used by server computers are not protected from RAMBleed.

Practical use

Since the RAM compromise is not tied to specific programs, a large number of attacks are possible. The unauthorized reading of the RSA key by OpenSSH 7.9 was demonstrated. However, you can read all data stored in memory in this way. This does not mean that SSH in particular is unsafe. Any other encryption could have been attacked as well. In contrast to local computers, to which only a single user has access, cloud environments are a potential target for RAMBleed.

Defense methods

In contrast to the Rowhammer attack, which an ECC-capable RAM can make more difficult with an ECC-capable CPU , RAMBleed cannot be fended off with this, as it does not require frequent charge changes. An attacker just needs to know that charge changes have occurred. At best, you can update memory to DDR4 and activate the targeted line update (TRR) to make the attack more difficult.

Web links

RAMBleed.com - Web site of the publishing researchers

Individual evidence

↑ Hanno Böck: Attack of the bit pushers. In: ZEIT online. March 10, 2015, accessed March 14, 2015 .
↑ Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. (PDF) Retrieved March 14, 2015 (English).

[ZEIT_20150310-1] Hanno Böck: Attack of the bit pushers. In: ZEIT online. March 10, 2015, accessed March 14, 2015 .

[yoonguk-2] Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. (PDF) Retrieved March 14, 2015 (English).