Rowhammer

from Wikipedia, the free encyclopedia

Rowhammer describes a design flaw in memory modules in which certain bits in the main memory ( DRAM ) can be changed without write access to them. This error enables an attacker, in theory, by changing certain bits in this way, e.g. B. to circumvent safety precautions. The first practical attack based on this effect became known to the general public in March 2015 by Mark Seaborn, Matthew Dempsky and Thomas Dullien. According to his own statements, Mark Seaborn managed to exploit the vulnerability on 15 of 29 laptops.

functionality

By quickly reading the neighboring rows (yellow), the content of the victim row (purple) can be manipulated

The memory is physically organized in rows. In order to access memory, the memory is copied from such a row into a buffer, which can then be accessed. Only when another row is to be accessed is this row written back and the other row loaded into the row buffer. If a memory address is accessed at high frequency (alternating with another address), the main memory has to read and write back the rows just as often. The electric fields of the rows to which an attacker has access interact with neighboring rows of the main memory. The charge then "leaks", which can lead to a change in an adjacent bit. This leads to malfunctions of the computer, such as the crash of programs or the operating system, data corruption or - with targeted exploitation - to unauthorized access to the entire computer.

In normal operation, the row hammer effect is unlikely to occur, since memory accesses are buffered by the cache and therefore do not occur at this frequency. However, with the Clflush command, the processor offers the option of specifically throwing memory out of the cache. If this command is used deliberately, the main memory actually has to read and write rows just as often.

A program written by Mark Seaborn demonstrates that the rowhammer effect is indeed a security hole. It writes to certain areas of the main memory until a bit for which the current program did not have write access has been changed. Seaborn's program is based on preliminary work by a research group at Carnegie Mellon University and Intel Labs.

Practical use

Since the RAM compromise is not tied to specific programs, a large number of attacks are possible. An attack on the NaCl sandbox in the Chrome web browser and the acquisition of root rights under Linux has been tried and tested by Seaborn . In July 2015, the research team Gruss, Maurice and Mangard also managed to attack a system using JavaScript . Seaborn itself assumes that Linux is not the only one affected by the problem. Theoretically it is also possible to break out of a virtual machine. This attack has not yet been tested in practice, but it should be possible on servers without (error-correcting) ECC memory (see defense methods ) . In November 2018, the research team Cojocar, Razavi, Giuffrida, Bos from the Vrije Universiteit Amsterdam showed that even ECC memories are not safe from (modified) rowhammer attacks.

NaCl

The NaCl sandbox checks the machine code for dangerous calls before it is executed. This is to prevent breaking out of the sandbox, which means that the sandbox was previously considered safe. Rowhammer can manipulate the code after it has been checked; permanent calling of the Clflush command prevents the memory access from being “cached”. Newer versions of NaCl therefore no longer allow Clflush to be called. The missing filtering in previous versions is listed as CVE- 2015-0565 vulnerability. Seaborn is currently discussing further attacks without Clflush , but none of them have been implemented in practice. For this reason, Seaborn advocates prohibiting users from executing the clflush command. Outside of the kernel, there are few reasons to invoke the command.

Root rights

For this purpose, an attempt is made to use bit changes to gain control over a page table of one's own process. This would allow an attacker to read and change all physical memory.

JavaScript

In July 2015, Gruss, Maurice and Mangard managed to trigger the rowhammer effect using JavaScript. The attack is not based on using special JavaScript functions, but on simulating the clflush command through targeted memory accesses. It is likely that the same approach can be applied to other languages. The researchers only proved that the attack was possible in the Mozilla Firefox web browser , but again it is likely that the attack could be similarly possible in other web browsers. The implementation of the attack has now been published on GitHub .

Defense methods

Since this security gap exploits peculiarities of the hardware, it cannot be remedied by simple software solutions such as changing the virus scanner or the operating system. Error-correcting RAM, such as the use of ECC memory modules, provides partial protection against a Rowhammer attack . For this, however, it is necessary that either the main memory makes the corrections independently or the ECC-capable RAM is combined with an ECC-capable CPU . However, this only provides protection against the overturning of individual bits, but not against the overturning of several at once. However, new studies show that ECC-capable RAM is also vulnerable to rowhammer attacks.

The u. a. PaX comprehensive GrSecurity patch for the Linux kernel , since access to the “page maps” of user processes is blocked. However, the patch does not offer any real security. To make the attack /procmore difficult, the Linux kernel 4.0 made it more difficult to access the directory .

In one case, Seaborn was able to delay the attack through a revised BIOS . Instead of a few minutes, the researcher now needed 40 minutes for the attack. However, this method is not an effective protection.

literature

  • André Schaller: Storage cells hammered. Why "Rowhammer" attacks on memory can work . In: c't . tape 13 , no. 13 , 2019, pp. 110–115 ( heise.de [accessed June 13, 2019]).

Individual evidence

  1. a b Mirko Lindner: "Row Hammer": Storage phenomena lead to security gaps. In: pro-linux.de. March 10, 2015, accessed March 14, 2015 .
  2. a b c Hanno Böck: Attack of the bit pushers. In: ZEIT online. March 10, 2015, accessed March 14, 2015 .
  3. a b c Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. (PDF) Retrieved March 14, 2015 (English).
  4. ^ Program for testing for the DRAM "rowhammer" problem. In: GitHub. Retrieved March 14, 2015 .
  5. Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos: Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks . November 22, 2018 ( vu.nl [PDF]).
  6. CVE-2015-0565 at MITER (English)
  7. a b Hanno Böck: RAM chips give attackers root rights. In: Golem.de. March 10, 2015, accessed March 14, 2015 .
  8. Detailed instructions for the attack are available here
  9. a b Hanno Böck: Rowhammer: Memory bit flips using Javascript. In: Golem.de. July 28, 2015, accessed July 30, 2015 .
  10. ^ Daniel Gruss, Clémentine Maurice, Stefan Mangard: Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript . July 27, 2015, arxiv : 1507.06955 .
  11. ^ Daniel Gruss, Clémentine Maurice: IAIK / rowhammerjs: rowhammerjs / rowhammer.js at master . July 27, 2015. Retrieved July 29, 2015.
  12. Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos: Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks. Retrieved December 3, 2018 .