Rowhammer Attack
When everything has been thought of – except for the "canalization"
How can it feel when all security precautions fail just because you have rented a cheap server for cost reasons?
Hard disk encrypted, up-to-date operating system and no vulnerabilities in the software: isn't that enough?
The weaknesses of RAM components from some manufacturers have been known for some time. As a so-called Microarchitectural Side-Channel Attack (MASCAT), Rowhammer is a predecessor of Spectre, Meltdown and ZombieLoad, possibly the most dangerous security vulnerabilities in many processors. The whole thing was discovered by Daniel Gruss, a researcher at Graz University of Technology.
What is the problem?
The problem is of a physical nature and therefore difficult to control. As long as data is encrypted on servers, it is difficult to access the information it contains. There is only one way to do this and that is via the computer's memory modules (RAM). Computers cannot do anything with encrypted data. This is why most of the data is stored unencrypted in the memory modules when a program is executed. If you have admin rights on your computer, you can easily test this with software such as HxD - Freeware Hex-Editor.
An attacker needs access to the computer to copy data in this way.
Many web servers and cloud services are nothing more than very large computers on which many users share the available resources. This means that these users also share the main memory of this computer. To ensure that data in the main memory of these machines cannot be read by anyone, the operating system assigns each user a protected part of the memory to which only that user has access.
How can the Rowhammer attack be used to access the content of protected areas of other users?
I'd like to explain this in a very simplified way here:
Memory cell arrangement: Let's imagine the main memory (RAM) consisting of an arrangement of memory cells. These cells are organized in rows and columns:
| 0 | 1 | 2 | 3 | 4 | ... |
| 5 | 6 | 7 | 8 | 9 | ... |
| . | . | . | . | . | ... |
Read and write: During normal operation, data is written to and read from these memory cells. In a rowhammer attack, a targeted attempt is made to repeatedly access certain memory cells.
Repeated writing: The attacker selects a specific memory row and repeatedly writes data to the cells in this row at a high frequency. Marked as "x" in our example:
| x | x | x | x | x | ... |
| . | . | . | . | . | ... |
| . | . | . | . | . | ... |
Electronic effects đŸ˜®: Repeated writing to this memory line can cause electronic effects that lead to leakage currents in neighboring memory cells. Shown here as "1":
| x | x | x | 1 | x | ... |
| . | . | . | . | . | ... |
| . | . | . | . | . | ... |
Neighboring cells affected: The leakage currents can cause data in neighboring memory cells to be changed unintentionally without them being accessed directly:
| x | x | x | 1 | x | ... |
| . | . | . | 0 | . | ... | (veränderte Zelle)
| . | . | . | . | . | ... |
Unwanted data changes: These unwanted changes in neighboring memory cells can be exploited by an attacker to bypass the memory areas set up by the operating system and then manipulate data.
Rowhammer attacks are a complex topic, and the above illustration is highly simplified. However, it shows the basic principle of how repeated writes to certain memory cells can cause unwanted effects in neighboring cells and how these effects can be exploited.
Rowhammer attacks are extremely time-consuming and costly.
"You don't do something like this for fun."
says Gruss, the discoverer. "You can gain access to a system within seconds via a vulnerability in the software. Even with the new Rowhammer possibilities, we still expect it to take hours or even days."
With JOUO, we not only show vulnerabilities of unpatched systems, but we also show whether their digital assets are located on virtual machines and who is a co-user of the resource.
#DoNotFightAlone