Researchers at Google turn a theoretical attack practical: Successively writing data to rows of memory results in flipped bits and the ability to run code.
Consumer dynamic RAMs are widely vulnerable to a known—but previously thought to be mostly theoretical—attack technique in which data successively written to a row of memory cells can flip a bit in an adjacent row and undermine a computer's security, according to an investigation by Google researchers.
In an analysis released on March 9
, Google security researchers Mark Seaborn and Thomas Dullien found that 15 out of 29 laptops tested were vulnerable to the technique, known as a "rowhammer" attack. The technique abuses the physics of DRAM, or dynamic random access memory, using repeated voltage fluctuations produced by writing data to rows of DRAM cells, to flip one or more bits of memory.
The researchers were able to exploit the technique to flip bits in memory until a change turned safe, non-executable memory to unsafe memory from which a program could be run. The researchers exploited the technique to gain higher privileges on a test system.
"Vendors may have considered rowhammer to be only a reliability issue and assumed that it is too difficult to exploit," the researchers stated in their analysis. "None of the public material we have seen on rowhammer [with one exception] discusses security implications."
The exception is a paper presented by a team of researchers
from Carnegie Mellon University and Intel Labs, on which the Google researchers based their investigation. In that paper, the researchers studied DRAM disturbance errors and found that most DRAM modules—110 out of 129 from three different manufacturers—were susceptible to the attack.
Because memory chips have continued to have smaller features, electrical interactions are increasingly likely, the Google researchers wrote in their analysis.
"This works because DRAM cells have been getting smaller and closer together," they said. "As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other."
The attack could allow a program running on a mobile device, laptop or desktop to gain control of the system, according to Dan Kaminsky, chief scientist with security firm White Ops. Yet the worst scenario may be attackers running code on cloud computing clusters and breaking through the virtual walls that isolate one customer's data from another, he said.
"If one bit changes into the wrong place, then you can become root, or God, or whatever," he said. "This is a generic attack based on very rare vulnerabilities, but the problem with software is that a rare vulnerability—once known—becomes common."
The problem also underscores that, while many security professionals understand software security, hardware issues represent less traveled territory. The Google analysis recommends that more researchers publish information about the rowhammer problem while vendors release more technical information about potential mitigations. Such efforts could help users evaluate which machines might be vulnerable.
"Though the industry is less accustomed to hardware bugs, hardware security can benefit from the same processes of public discussion and disclosure" as software issues, the researchers stated.
In the original rowhammer paper, the Carnegie Mellon and Intel researchers recommended a defense they called Probabilistic Adjacent Row Activation, or PARA—which would, every time a row is accessed, refresh the adjacent row with a small probability. Refreshing the DRAM cells reinforces the correct data, essentially erasing the electrical influence of adjacent writes. The technique would result in adjacent rows occasionally being refreshed and negating the impact of the attack, the researchers said.