lolloj - Fotolia
A Google Inc. researcher has revealed an innovative technique for exploiting computer memory to gain kernel-level system privileges, highlighting the growing fear that application security controls may be rendered useless if underlying hardware is vulnerable.
Vendors and others have been aware of the "rowhammer" DRAM flaw for years, and researchers had thought a reliable exploit attack was almost impossible, but a new proof-of-concept could have wide implications for enterprise hardware.
Google Project Zero researcher Mark Seaborn and reverse engineer Thomas Dullien detailed two proof-of-concept attacks on Tuesday, explaining that repeatedly accessing a row of memory can cause bit flips in adjacent rows of some DRAM devices.
This method, Google researchers say, can ultimately allow an attacker to gain kernel privileges on x86-64 Linux machines, but noted that th is is not inherently a Linux-specific issue and could work on other operating systems.
Rowhammer has been a known flaw in some DRAM modules since around 2012, but first gained some attention with an academic research paper published by Carnegie Mellon University in June of 2014, and a subsequent white paper by Marc Greenberg, director of product marketing at Mountain View, Calif.-based vendor Synopsys Inc. in July of 2014.
"I had never considered this to be a security hole until this morning," admitted Greenberg in a blog post. This was because original methods of rowhammer could only cause bit-flips in limited numbers in random positions, making the likelihood low that the flip would happen in the exact position necessary for an exploit. Google's team has found a way to use the x86 "CLFLUSH" instruction to generate much more frequent flips, and one exploit bypasses the Native Client (NaCl) sandbox in the Chrome browser.
Robert GrahamErrata Security
This proof-of-concept caused a stir on social media Monday because it doesn't leverage a flaw in software, but rather the hardware of machines, which would make mitigation more difficult.
Worse still, if rowhammer can be exploited to reliably gain privileges on target systems, the Google researchers said it may threaten the integrity of other security controls.
"Many layers of software security rest on the assumption the contents of memory locations don't change unless the locations are written to," said the Google researchers in their blog post.
In a blog post Monday commenting on the findings, Errata Security's Robert Graham indicated that despite the element of randomness that seems necessary for a successful Rowhammer exploit, there is cause for concern; other seemingly random events like stack and heap overflows were once thought to be too unreliable, but eventually techniques were developed to predict their occurance.
"The upshot of this is that in order to exploit this bug, the hacker needs to know how virtual memory is translated to physical memory," Graham wrote. "This is easy on Linux. ... It may be harder in other systems."
However, there are promising defensive options. First, only some DDR3 DRAM hardware is vulnerable to rowhammer. Google's testing found that its technique only worked on 15 of 29 machines tested. The Project Zero team has released a testing application for Linux and Mac OS X.
Google noted that the proof-of-concepts did not work on machines with error-correcting code (ECC) memory, which is used in most cloud computing implementations, and that newer LPDDR4 standard includes Targeted Row Refresh and Maximum Active Count features designed to mitigate rowhammer.
Many of today's desktop and laptop computers don't use expensive ECC memory, opening up questions as to whether a variety of enterprise endpoints could be at risk.
"The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines" to protect them, Graham wrote.
Google has patched the Chrome browser to not allow "CLFLUSH," thus mitigating the NaCl bypass method.
Is the Rowhammer flaw an indicator that there will be a rise in network vulnerabilities? Experts weigh in.