Last week, we reported first Rowhammer attack on the remote network, called Throwhammer, which involves using a known DRAM vulnerability via network adapters using RDMA (Remote Direct Memory Access) channels.
However, a separate team of security researchers has now demonstrated a second network-based Rowhammer attack technique that can be used to attack systems that use memory that is not stored in memory or to unload instructions during processing. network queries.
The research was conducted by researchers who discovered the CPU vulnerabilities of Meltdown and Specter, which is independent of Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer, released last week.
If you are not aware, Rowhammer attack is a critical issue with the latest-generation RAM chips where repeated access to a line of memory can cause a “bit spill” in an adjacent row, allowing attackers alter the contents of the memory.
The problem has been exploited in various ways to resize kernel-level attacker privileges and get remote code execution on vulnerable systems, but the attacker must have access to the victim’s computer.
However, the new Rowhammer attack technique, called Nethammer, can be used to execute arbitrary code on the target system by quickly writing and rewriting the memory used for packet processing, which would only be possible with one connection. fast network. the attacker and the victim.
This causes a high number of accesses to the same set of memory locations, possibly causing errors in the DRAM and causing memory corruption to inadvertently invert the value of the DRAM bit.
Corruption resulting from the data can be manipulated by the attacker to take control of the victim’s system.
“To mount a Rowhammer attack, the memory accesses must be served directly from the main memory, so an attacker must ensure that the data is not cached,” explains the researcher’s paper [PDF].
Because caching made the attack difficult, the researchers developed methods that allowed them to bypass the cache and directly attack the DRAM to cause a row conflict in the memory cells required for nethammer’s attack.
The researchers tested Nethammer for the three techniques derived from the cache:
A kernel driver that dumps (and loads) an address every time a packet is received.
Intel Xeon processor with Intel CAT for fast cache eviction
Memory not cached on an ARM mobile device.
All three scenarios are possible, researchers have shown.
In their experimental configuration, the researchers managed to induce a bit release every 350 ms by sending a UDP packet sequence up to 500 Mbps to the target system.
Since the Nethammer attack technique does not require any attack code, unlike a normal Rowhammer attack, for example, no attacker-controlled code in the system, most countermeasures do not prevent that attack.
Because Rowhammer exploits a weakness in computer hardware, no software patch can completely solve the problem. The researchers believe that the rowhammer attack threat is not only real but also has the potential to cause real and serious harm.
For more details on the new attack technique, you can refer to this document, titled “Nethammer: Inducing Rowhammer’s Failures Through Network Queries,” published by researchers earlier this week.