March 17, 2015 By Jaikumar Vijayan 2 min read

Security researchers at Google’s Project Zero vulnerability research group have found a way to reliably exploit a potentially serious hardware bug that exists in many modern dynamic random-access memory (DRAM) devices.

Tests conducted on DRAM devices in 29×86 laptop computers from multiple vendors suggest the problem is widespread and that vendors have known about it for a while, the researchers noted in a blog post this week. However, it may be that the vendors have so far treated the hardware bug as just a reliability problem and not as a security issue that can be exploited to corrupt a system.

The problem, dubbed “rowhammer” by the Google researchers, stems from the ever-shrinking nature of DRAM technologies. As DRAM cells have gotten smaller and closer together, it has become harder for manufacturers to prevent cells from interacting with each other electrically and from disturbing neighboring cells, the researchers said.

Experimental Study

In an experimental study on DRAM disturbance errors last year, researchers at Carnegie Mellon University and Intel showed how it is possible to corrupt data in DRAM chips by repeatedly activating and deactivating data in a single row. By simply reading from the same memory address on a DRAM chip repeatedly, it is possible to corrupt data in neighboring rows. It is this process that Google’s researchers describe as “row hammering” in their report.

The researchers investigated a total of 129 DRAM modules from different vendors and discovered disturbance errors in 110 of them. Interestingly, all DRAM chips manufactured between 2012 and 2013 were susceptible to the issue, suggesting the problem is especially prevalent in modern chipsets.

Modern manufacturing processes have allowed chipmakers to reduce memory costs by cramming more DRAM cells into the same amount of real estate. However, in the process, they have also introduced memory reliability issues.

Working Exploits

What Google’s Project Zero researchers have done is show how to exploit the hardware bug. They built two working exploits that let attackers corrupt a DRAM device and escalate their privileges on a compromised system. One of the exploits runs as a Native Client (NaCl) program that attackers can use to escalate privileges and escape the NaCl sandboxing system, the Google researchers said.

The second is a kernel privilege escalation exploit that basically uses row hammering to induce DRAM errors that would let an attacker gain read-write access to all physical memory. According to the researchers, this exploit is harder to mitigate than the one that involves the NaCl sandbox escape.

In order to increase the speed and their chances of corrupting memory cells in DRAM, the researchers showed how an approach they described as “double-sided hammering” can be used to cause memory bits to flip more quickly.

Addressing the Hardware Bug Issue

Chipmakers that are aware of the issue have tried to address it by improving the isolation between cells and by looking for disturbance errors during the post-production testing phase. There are indications that some DRAM manufacturers have begun to implement BIOS updates and other mitigations for the issue, the Google researchers said. At least one DRAM vendor has indicated publicly that it implements rowhammer mitigations within its devices, and some newer laptop models appear to be immune to the problem.

However, without more information from vendors, it is hard to say for sure how many laptop computers are currently vulnerable to the hardware bug. In treating the rowhammer problem as a reliability issue, vendors appear to have overlooked the security implications. It is time for hardware vendors to analyze the issue on their device and provide explanations of impact and mitigation strategies.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today