A group of researchers from the Free University of Amsterdam has developed a new advanced version of the RowHammer attack, that allows the content of individual bits in memory based on DRAM chips to be changed, to protect the integrity of the error correction codes (ECC) that are applied.
The attack can be carried out remotely with non-privileged access to the systemAs the RowHammer vulnerability can distort the content of individual bits in memory by cyclically reading data from neighboring memory cells.
Table of Contents
What is the RowHammer vulnerability?
To what the group of researchers explain about the RowHammer vulnerability, is that this se based on the structure of a DRAM memory, because basically this is a two-dimensional matrix of cells of which each of these cells consists of a capacitor and a transistor.
Thus the continuous reading of the same memory area leads to voltage fluctuations and anomalies that cause a small loss of charge of the neighboring cells.
If the intensity of the reading is large enough, the cell may lose a sufficiently large amount of charge and the next regeneration cycle will not have time to restore its original state, resulting in a change in the value of the stored data. in cell.
A new variant of RowHammer
So far, using ECC was considered the most reliable way to protect against the problems described above.
However the researchers succeeded in developing a method to change the specified memory bits that did not activate an error correction mechanism.
The method can be used on servers with ECC memory to modify data, replace malicious code and change access rights.
For example, in RowHammer attacks demonstrated above, when an attacker accessed a virtual machine, malicious system updates were downloaded through a change in the hostname apt process to download and modify the verification logic of the hostname. digital signature.
How does this new variant work?
What the researchers explain about this new attack is that the ECC walkthrough relies on error correction features- If one bit is changed, the ECC will correct the error, if two bits are raised, an exception will be thrown and the program will be forcibly terminated, but if three bits are changed simultaneously, the ECC may not notice the modification.
To determine the conditions under which ECC verification does not work, A verification method similar to that of the race has been developed that allows to evaluate the possibility of an attack for a specific address in memory.
The method is based on the fact that when correcting an error, the reading time increases and the resulting delay is quite measurable and noticeable.
The attack is reduced to successive attempts to change each bit individually, determining the success of the change by the appearance of a delay caused by an ECC setting.
Therefore, a machine word search is performed with three variable bits. In the last stage, it is necessary to make sure that the three mutable bits in two places are different, and then try to change their value in a single pass.
About the demo
The Researchers successfully demonstrated the possibility of an attack on four different servers with DDR3 memory (theoretically vulnerable and DDR4 memory), three of which were equipped with Intel processors (E3-1270 v3, Xeon E5-2650 v1, Intel Xeon E5-2620 v1), and one AMD (Opteron 6376).
En The demonstration shows that finding the required combination of bits in the lab on an idle server takes about 32 minutes.
Making an attack on a running server is much more difficult due to the presence of interference that arises from the activity of the application.
In production systems, it can take up to a week to find the required combination of interchangeable bits.