14 DAY TRIAL // A theoretical problem with some dynamic random-access memory (DRAM) chips has become reality as security researchers discovered two methods to flip the bits in nearby memory locations, gaining direct access to the operating systems’ calls, as well as to the data in the entire physical memory.
The issue is called Row Hammer and consists in the fact that recent-generation DRAM chips have been scaled down so much that a larger number of memory cells are crammed together in a smaller space.
Apart from the obvious advantage of smaller costs, this approach also comes with a set of disadvantages, one of them being the possibility to interfere with one another, causing an undesirable effect.
Two proof-of-concept codes demonstrate the vulnerability
An experimental study of this effect is presented in the paper “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors,” published by Carnegie Mellon University.
A process’ address space in the memory is isolated from that of other processes, but the researchers demonstrated that repeated access to two memory locations in a process’ virtual address space leads to flipping the bit in a third location in a different DRAM row. However, no attack was attempted at the time.
Starting from this paper, security researchers at Google’s Project Zero picked up from where the initial study left and managed to create two exploits for the Row Hammer bug.
One of them “runs as a Native Client (NaCl) program and escalates privilege to escape from NaCl’s x86-64 sandbox, acquiring the ability to call the host OS’s syscalls directly,” Google’s sandbox expert Mark Seaborn and reverse engineer Thomas Dullien said in a highly technical blog post on Monday.
Taking advantage of the bug involves the use of the x86 CLFLUSH instruction, as it is one of the simplest methods to cause DRAM row hammering.
The second exploit built by the researchers is designed to run as a normal process (as opposed to a sandboxed one) on Linux, but it escalates privilege and allows access to the data in the entire physical memory.
Newer hardware includes mitigation techniques
In the first case, the experts also provide a way to mitigate the risk, which relies on changing Native Client to reject the CLFLUSH instruction. However, preventing the Row Hammer exploit with the second proof-of-concept is a more difficult task to achieve.
The two researchers carried out the tests on 32-bit machines launched between 2010 and 2014 with DDR3 DRAM, which showed they were vulnerable to the Row Hammer bit flipping bug, and used an in-house test program freely available on GitHub.
The duo warns that the results obtained are experimental and that the sample size is by no means large enough to be considered representative.
Among the mitigation techniques manufacturers can implement is ensuring that a given memory row is not activated too many times, at the same time making sure that adjacent rows are refreshed. Some newer hardware does include mitigation methods against the Row Hammer glitch.