The exploitation of RAM problems that can lead to device vulnerabilities in point of sale machines made headlines a year ago relating to huge data thefts from a number of U.S. retailers as well as the Heartbleed bug. Now security researchers have found another potential memory-related problem in devices running 64-bit Linux, and possibly other operating systems.
The revelation was made Monday on Google’s Project Zero blog by researches who worked on a problem dubbed “rowhammer,” where repeatedly accessing a row of memory in some recent DRAM devices can cause bit flips in adjacent rows. The Google researchers tested a number of laptops and found some could be hacked with two privilege escalation exploits they built.
Briefly, the problem stems from the fact that DRAM chips, which have rows of cells have been getting smaller so the cells have gotten together. Over time it has become harder to prevent the cells from interacting electrically with each other. As a result, say researchers, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells. With enough accesses, this can change a cell’s value from 1 to 0 or vice versa.
One of their proof of concept exploits, rowhammer-induced bit flips could let an attacker gain kernel privileges on x86-64 Linux when run as an unprivileged userland process, inducing bit flips in page table entries (PTEs). Then write access could be gained to its own page table, and hence gain read-write access to all of physical memory.
“We don’t know for sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable,” the researchers say. “Our exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM, but other techniques might work on non-x86 systems too.
“We expect our PTE-based exploit could be made to work on other operating systems; it is not inherently Linux-specific. Causing bit flips in PTEs is just one avenue of exploitation; other avenues for exploiting bit flips can be practical too.”
The other exploit could allow code to escaping from a browser’s Native Client sandbox. According to Security Week, this hole has been plugged in Chrome.
The Google researchers are urging manufacturers to publicly release information about past, current and future devices so that security researchers and others can figure out which are vulnerable to the rowhammer problem.
In a blog post on this, Robert Graham of Errata Security wrote that error-correcting memory (ECC) should detect and correct most rowhammer flips. However, while ECC memory may be in servers, they are rarely found in PCs.
“By itself, this bug may not endanger you,” Graham wrote. “However, it’s much more dangerous when used within conjunction with other bugs. Browsers have “sand boxes” that keep hackers contained even if the first layer of defense breaks. This may provide a way of escaping the sand box when used in conjunction with other exploits.”
The Google researchers wrote that “history has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.
“The public discussion of software flaws and their exploitation has greatly expanded our industry’s understanding of computer security in past decades, and responsible software vendors advise users when their software is vulnerable and provide updates. Though the industry is less accustomed to hardware bugs than to software bugs, we would like to encourage hardware vendors to take the same approach: thoroughly analyse the security impact of “reliability” issues, provide explanations of impact, offer mitigation strategies and — when possible — supply firmware or BIOS updates. Such discussion will lead to more secure hardware, which will benefit all users.