Security researchers at Google’s Project Zero vulnerability research group have found a way to reliably exploit a potentially serious hardware bug that exists in many modern dynamic random-access memory (DRAM) devices.
Tests conducted on DRAM devices in 29×86 laptop computers from multiple vendors suggest the problem is widespread and that vendors have known about it for a while, the researchers noted in a blog post this week. However, it may be that the vendors have so far treated the hardware bug as just a reliability problem and not as a security issue that can be exploited to corrupt a system.
The problem, dubbed “rowhammer” by the Google researchers, stems from the ever-shrinking nature of DRAM technologies. As DRAM cells have gotten smaller and closer together, it has become harder for manufacturers to prevent cells from interacting with each other electrically and from disturbing neighboring cells, the researchers said.
In an experimental study on DRAM disturbance errors last year, researchers at Carnegie Mellon University and Intel showed how it is possible to corrupt data in DRAM chips by repeatedly activating and deactivating data in a single row. By simply reading from the same memory address on a DRAM chip repeatedly, it is possible to corrupt data in neighboring rows. It is this process that Google’s researchers describe as “row hammering” in their report.
The researchers investigated a total of 129 DRAM modules from different vendors and discovered disturbance errors in 110 of them. Interestingly, all DRAM chips manufactured between 2012 and 2013 were susceptible to the issue, suggesting the problem is especially prevalent in modern chipsets.
Modern manufacturing processes have allowed chipmakers to reduce memory costs by cramming more DRAM cells into the same amount of real estate. However, in the process, they have also introduced memory reliability issues.
What Google’s Project Zero researchers have done is show how to exploit the hardware bug. They built two working exploits that let attackers corrupt a DRAM device and escalate their privileges on a compromised system. One of the exploits runs as a Native Client (NaCl) program that attackers can use to escalate privileges and escape the NaCl sandboxing system, the Google researchers said.
The second is a kernel privilege escalation exploit that basically uses row hammering to induce DRAM errors that would let an attacker gain read-write access to all physical memory. According to the researchers, this exploit is harder to mitigate than the one that involves the NaCl sandbox escape.
In order to increase the speed and their chances of corrupting memory cells in DRAM, the researchers showed how an approach they described as “double-sided hammering” can be used to cause memory bits to flip more quickly.
Addressing the Hardware Bug Issue
Chipmakers that are aware of the issue have tried to address it by improving the isolation between cells and by looking for disturbance errors during the post-production testing phase. There are indications that some DRAM manufacturers have begun to implement BIOS updates and other mitigations for the issue, the Google researchers said. At least one DRAM vendor has indicated publicly that it implements rowhammer mitigations within its devices, and some newer laptop models appear to be immune to the problem.
However, without more information from vendors, it is hard to say for sure how many laptop computers are currently vulnerable to the hardware bug. In treating the rowhammer problem as a reliability issue, vendors appear to have overlooked the security implications. It is time for hardware vendors to analyze the issue on their device and provide explanations of impact and mitigation strategies.