New Rowhammer Exploit Enables Hackers to Bypass Mitigations

The Rowhammer exploit was first discovered in 2014 and was shown to allow attackers to take control of devices by targeting DRAM memory cells.

Rowhammer attacks take advantage of the close proximity of memory cells, causing them to leak their charge and alter the content of neighboring memory cells. The attack involves delivering constant read-write operations using carefully crafted memory access patterns to continuously activate the same memory rows, which can enable powerful privilege escalation attacks.

Since the attack method was discovered, security researchers have discovered the technique has been used in many attacks. The attacks have even been performed using simple JavaScript, and have been shown to be effective on Windows Machines, Linux-based virtual machines, and Android devices.

Considerable research into the Rowhammer exploit has enabled manufacturers to implement a number of mitigations to prevent attacks; however, this week, new research has been published showing that even if multiple mitigations are deployed, the Rowhammer exploit can still be used and all current mitigations can be bypassed.

Previously attacks were conducted on multiple rows of memory cells, but the latest method targets just one row – an attack method termed one-location hammering which keeps one DRAM row constantly open.

According to the researchers, “We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker chosen physical locations.”

The team also successfully conducted an attack on Intel SGX and were able to hide the attack completely from the operating system. While the attacks take longer to carry out using the new method, they can still be effective. The researchers say in their tests, an attack will take between 44.4 hours and 137.8 hours.

That would clearly be too long for attacks on most computers, but the researchers say that there is a risk of attacks on online servers which are not switched off, or for attacks on cloud services which typically have more than 99.9% uptime. The attackers could conduct denial of service attacks on cloud environments, but also privilege escalation attacks on personal computers.

Author: NetSec Editor