The first network-based remote Rowhammer attack, known as Throwhammer, involves exploiting a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
Now a group of researchers have revealed a second network-based remote Rowhammer technique which can attack systems using uncached memory or flush instruction while processing the network requests.
It was this same research team who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.
Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row, thereby allowing the hackers to alter the contents of the memory.
This issue was exploited in numerous ways to surge an attacker’s privilege to kernel level and achieve remote code execution on the vulnerable systems, however the attacker needs access to the victim’s machine.
The new Rowhammer attack technique, nicknamed as Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, that can be feasible only with a fast network connection between the attacker and victim.
This causes a large number of memory accesses to the same set of memory locations, which finally induces errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value. This data corruption can then be manipulated by the attacker to attain access to the victim’s system.
According to the research done, in order to mount a Rowhammer attack, memory accesses need to be directly served by the main memory. So an attacker has to make sure that the data is not stored in the cache.
Caching makes an attack difficult, so the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.
Researchers tested Nethammer for the three cache-bypass techniques:
- A kernel driver that flushes (and reloads) an address whenever a packet is received.
- Intel Xeon CPUs with Intel CAT for fast cache eviction
- Uncached memory on an ARM-based mobile device.
Researchers proved that all the above-mentioned scenarios are possible.
In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.
As compared to the regular Rowhammer attack, the Nethammer attack technique does not require any attack code. Example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.
The Rowhammer exploits a computer hardware and so a software patch cannot completely fix the issue. Researchers believe that the Rowhammer threat is real and also has the potential to cause critical damage.