Hardware Bit-Flipping Attack
Here's how Rowhammer gets its name: In the Dynamic Random Access Memory (DRAM) used in some laptops, a hacker can run a program designed to repeatedly access a certain row of transistors in the computer's memory, "hammering" it until the charge from that row leaks into the next row of memory. That electromagnetic leakage can cause what's known as "bit flipping," in which transistors in the neighboring row of memory have their state reversed, turning ones into zeros or vice versa. And for the first time, the Google researchers have shown that they can use that bit flipping to actually gain unintended levels of control over a victim computer. Their Rowhammer hack can allow a "privilege escalation," expanding the attacker's influence beyond a certain fenced-in portion of memory to more sensitive areas.
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
The cause is simply the super dense packing of chips:
This works because DRAM cells have been getting smaller and closer together. As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells. With enough accesses, this can change a cell's value from 1 to 0 or vice versa.
Very clever, and yet another example of the security interplay between hardware and software.
This kind of thing is hard to fix, although the Google team gives some mitigation techniques at the end of their analysis.
EDITED TO ADD (3/12): Good explanation of the vulnerability.
Posted on March 11, 2015 at 6:16 AM • 38 Comments