Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests
Final week, we reported concerning the first network-essentially based a ways off Rowhammer attack, dubbed Throwhammer, which entails the exploitation a known vulnerability in DRAM by design of network cards the usage of a ways off dispute memory accept admission to (RDMA) channels.
On the different hand, a separate crew of security researchers has now demonstrated a second network-essentially based a ways off Rowhammer methodology that can also be historical to attack programs the usage of uncached memory or flush instruction while processing the network requests.
The analysis changed into once utilized by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is unbiased of the Amsterdam researchers who offered a collection of Rowhammer assaults, collectively with Throwhammer published closing week.
In the occasion you are unaware, Rowhammer is a crucial challenge with contemporary generation dynamic random accept admission to memory (DRAM) chips in which all over again and all over again accessing a row of memory can position off “bit flipping” in an adjacent row, allowing attackers to interchange the contents of the memory.
The challenge has since been exploited in a different of solutions to escalate an attacker’s privilege to kernel stage and slay a ways off code execution on the susceptible programs, however the attacker wished accept admission to to the victim’s machine.
On the different hand, the brand new Rowhammer attack methodology, dubbed Nethammer, will also be historical to manufacture arbitrary code on the targeted diagram by without note writing and rewriting memory historical for packet processing, which would be that you would possibly perchance perchance perchance perchance perchance name to mind best with a mercurial network connection between the attacker and victim.
This causes a high different of memory accesses to the same position of memory areas, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-tag.
The ensuing records corruption can then be manipulated by the attacker to fetch preserve watch over over the victim’s diagram.
“To mount a Rowhammer attack, memory accesses can must be at once served by the significant memory. Thus, an attacker desires to be obvious the records isn’t very saved within the cache,” the researcher paper [PDF] reads.
Since caching makes an attack demanding, the researchers developed solutions that allowed them to circumvent the cache and attack at once into the DRAM to position off the row conflicts within the memory cells required for the Rowhammer attack.
Researchers examined Nethammer for the three cache-bypass tactics:
- A kernel driver that flushes (and reloads) an tackle whenever a packet is got.
- Intel Xeon CPUs with Intel CAT for quick cache eviction
- Uncached memory on an ARM-essentially based mobile system.
All three eventualities are that you would possibly perchance perchance perchance perchance perchance name to mind, researchers showed.
In their experimental setup, researchers have been successfully in a set to induce pretty flip every 350 ms by sending a stream of UDP packets with as much as 500 Mbit/s to the target diagram.
For the rationale that Nethammer attack methodology does not require any attack code not like an recurring Rowhammer attack, let’s dispute, no attacker-managed code on the diagram, most countermeasures lift out not prevent this attack.
Since Rowhammer exploits a pc hardware weak point, no tool patch can totally repair the challenge. Researchers judge the Rowhammer threat isn’t very best accurate however additionally has likely to position off accurate, severe hurt.
For more in-depth particulars on the brand new attack methodology, you would possibly perchance perchance perchance perchance perchance head on to this paper, titled “Nethammer: Inducing Rowhammer Faults by design of Network Requests,” published by the researchers earlier this week.
