We used to think of computer security troubles as being pretty much exclusively software problems. Things have changed. In 2014, Carnegie Mellon University students found that, in theory, just by reading and closing data stored on one row of memory cells over and over again at high speeds, you could alter data stored in nearby memory rows. Then, in 2015, Google Project Zero researchers showed not just one, but two ways this "rowhammer" attack could gain read-write access to a laptop's memory.
That's worrying, but could Rowhammer ever be used in a real attack? After all, as its discoverers said when they presented their results it "takes as few as 139K accesses to induce an error and up to one in every 1.7K cells is susceptible to errors." That sounds like really remote odds to me.
But as time has gone on we've found all kinds of different ways to induce Rowhammer attacks and some of them are more than fast enough to cause real-world damage. At the same time, we're running more and more of our programs on the cloud. With multiple containers and virtual machines (VMs) residing check to jowl with each other on the cloud, successful and damaging Rowhammer attacks are all too possible.
True, as we'll see, it takes a lot of technical expertise to pull off a Rowhammer attack. There's unlikely to ever be a script-kiddie Rowhammer attack kit. But I find it all too possible that we'll soon have to deal with a major Rowhammer security exploit.
Rowhammer: From theory to practice
Rowhammer attacks work by running a program repeatedly. Specifically, it targets a given row of memory cells. It then hammers them, hence the name, until an electrical charge leaks from the target row to an adjacent one. The leaked charge makes a bit in the adjacent row of RAM flip from one to zero or vice versa.
That "flip" may sound trivial ̶ what's one bit after all? ̶ however, it can be enough to get system administration, aka root, access. Google's team was able to create a Rowhammer exploit to gain kernel privileges on a laptop running 64-bit Linux from an unprivileged userland process. It did that by inducing bit flips in page table entries (PTEs). From there, the hacker gained write access to the computer's memory page table. That was enough to give the attacker read-write access to all of the physical memory. And, that was all she wrote. The target machine was now under the attacker's control.
This works because we put ever more memory in our computers by using smaller and smaller memory cells, which are in turn squeezed in closer together. This trend makes Rowhammer attacks more efficient because these packed in memory cells can more easily electrically interfere with each other.
Still, the odds are so high, surely this is more science fiction than security risk? At the very least, you'd need physical access to a computer to run such a memory intensive attack? Right? Right!? Wrong.
In August 2015, the Graz University of Technology's Daniel Gruss and associates found they could trigger Rowhammer faults by performing fast cache eviction on all architectures using ordinary memory accesses to evict data from the cache. In other words, they'd discovered a generic Rowhammer attack, which could be used on pretty much any architecture, programming language or operating system.
But, wait! There's more. The researchers built a Rowhammer exploit built on JavaScript. You can probably see where this is going. Since JavaScript is used in most modern web server pages, you can be subjected to a Rowhammer assault just by visiting a hostile website. Fun right?
But it didn't stop there, another exploit was quickly shown building on the first JavaScript exploit. This one revealed that a fully patched Windows 10 system using Microsoft Edge for its browser could be Rowhammered into submission. It also pointed out that when used against systems using memory deduplication, which is a popular way to place more VMs in physical memory, the assault is potentially more potent than ever.
Remember what also uses VMs all the time? The cloud. So, would it surprise you to learn that other researchers quickly found a way for attackers to induce bit flips using Rowhammer against memory deduplication in a fully controlled way?
Of course not. A group of security researchers in Vrije Universiteit created a nasty attack with the unlikely name Flip Feng Shui (FFS) could be used from one cloud-based VM to unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, they were able to break OpenSSH public-key authentication, and forge GPG signatures from trusted keys. Can you say compromised system? Sure you can.
Security developers weren't sitting idle. Various means to defend against potential Rowhammer attacks were explored. One of the most promising appeared to use already existing error-correcting code (ECC) memory to block Rowhammer. Well, it was a nice idea.
In 2018, a group of academic security researchers created a new attack technique: one-location hammering for breaking ECC memory. With one-location hammering instead of hammering multiple memory rows, an attacker hits one row so it's constantly kept open. With this technique ECC memory provided insufficient for true protection.
Adding insult to injury the researchers found it enabled them to flip bits in a predictable and targeted way in userspace binaries. Making it even more efficient, they exploited system-level optimizations and a side channel to coax the operating system into placing target pages at an attacker's chosen physical locations.
Oh, wait, there's even more. Finally, they found they could abuse Intel's Software Guard Extensions (SGX) to hide the attack entirely from the user and the operating system. With this they could both root systems and Rowhammer and cause denial-of-service (DoS) attacks.
At about the same time, researchers from Vrije Universiteit's VUSec research group found another way to crack ECC memory: ECCploit. They found that "ECC merely slows down the Rowhammer attack and is not enough to stop it."
Specifically, by reverse engineering ECC memory, they found if an attacker had direct access to the target, a computer could be busted in just over 30 minutes. That's reassuring, but by using a largely invisible silent side-channel attack, computers could still be cracked in a week. They expect the ECCploit technique to be used by dedicated attackers who first copy a victim's system using their own hardware. Then, using this "map" of their target, they can launch the attack with every assurance of success.
What else could go wrong? Well, in the latest ECC memory assault, researchers created RAMBleed. With this attack, researchers were able not to attack a system, but silently read data from within that computer's memory. Specifically, in their test case, they retrieved an RSA 2048-bit signing key from an OpenSSH server. Who needs to break encryption when you can just steal the key?
Other Dutch researchers discovered you don't even need to get an application running on a computer to hammer it. With this new kind of Rowhammer attack. Throwhammer ̶ clearly named by a Thor superhero fan ̶ "an attacker can trigger and exploit Rowhammer bit flips directly from a remote machine by only sending network packets."
The only good news here is you can't do this over an ordinary network. It only works over ultra-fast Remote Direct Memory Access (RDMA) networks. The bad news is that these are mostly used in Rowhammer's most valuable potential targets: Clouds and data centers.
Now as nasty as all these attacks are, they're still hard to actually pull off. It takes knowledge, a lot of time, and CPU power to pull off a Rowhammer attack. If only there were some way to speed up the act with a much faster processor, like, oh I don't know, say, high-speed Graphical Processor Units (GPUs).
Yes, you guessed it, GPUs work just as well at accelerating Rowhammer attacks as they do on video rendering, gaming and deep learning. Such an attack can also be made from JavaScript code running within the browser. How bad is it? Turns out you could conduct a "reliable GPU-based Rowhammer attack that compromises a browser on a phone in under two minutes."
Ugh.
Worse was to come. In 2019, a new Rowhammer attack called JackHammer emerged. A team of American and German academics were able to use that field-programmable gate array (FPGA), aka accelerators, to launch bigger, better and faster Rowhammer attacks.
FPGAs are customer configurable integrated circuits. They're very fast at specific jobs, such as cryptocurrency mining, media processing and artificial intelligence (AI). They can also successfully run Rowhamer attacks almost three-times faster than conventional CPUs with a higher success rate than ordinary Rowhammer attacks.
JackHammer is more successful than previous Rowhammer variants because FPGA cards connect directly to a processor's bus. This gives them direct access to memory, without having to cope with the system firmware or operating system.
Since FPGAs are increasingly being used on clouds, JackHammer looks to be especially dangerous. For example, in its proof of concept attack it was successful in breaking the WolfCrypt RSA implementation, which is part of the WolfSSL Library. The attackers were successful in recovering private keys used to secure SSL connections.
How to protect yourself from Rowhammer
Today, as far as we know, no one has successfully used Rowhammer to attack in the real world. But, then we wouldn't know, would we? By its very nature Rowhammer attacks are largely invisible, as they hide underneath the firmware, operating system and applications.
Sure, right now, Rowhammer attacks "appear" to be hard to pull off. But with so many different, and better ways to make them, if they're not already happening yet, they will be soon.
So, what can you do about it? While there's no perfect protection, there are some things you can do to shield yourself.
Intel suggests you use "DRAM modules resistant to Rowhammer style attacks." Intel, however, doesn't explain what these are in its security note. While it has been suggested that ECC and DDR4 memory chips are harder to exploit than other kinds of memory, it's been shown that both kinds of RAM are still vulnerable.
DDR4 memory can be made tougher to break by using Targeted Row Refresh (TRR). In this Intel-patented technique, when the memory controller detects a Rowhammer type attack happening, it sends a targeted refresh command to the targeted rows. It's based on the Joint Electron Design Engineering Council (JEDEC) TRR algorithm and it's available on most high-end modern memory controllers and chips. Older memory chips can be protected by using pseudo-TRR.
RAMBleed researcher Andrew Kwong noted that while "TRR makes it more difficult to find bit flips, not all DDR4 has TRR enabled, and implementations vary substantially by vendor, so it is difficult to pinpoint exactly how much safer TRR is against Rowhammer."
The RAMBleed team also remarked, "Memory manufacturers can help mitigate this issue by more rigorously testing for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR implementations will facilitate a stronger development process as security researchers probe such implementations for weaknesses."
An even better way of protecting against Rowhammer is to simply increase your memory's refresh speed. This works by reducing the odds of an attacker inducing a RowHammer error before the RAM cells are refreshed. This has the advantage of being easy to do, but to protect all known vulnerable memory cells, you'd need to increase the refresh rate to 7.8 times the current rate. That's very expensive in terms of both energy and performance costs. Nevertheless, Apple, HP, Cisco, Lenovo, Oracle and IBM have all adopted this path in some of their servers.
There are also software approaches being developed to combat Rowhammer. These, such as ARMOR and ANVIL, propose software-based detection of Rowhammer attacks by monitoring memory. When an attack is detected, a TRR is invoked.
Encrypted memory techniques, such as SGX, ARM’s TrustZone and AMD’s Secure Encrypted Virtualization (SEV), can help block some Rowhammer attacks. But, a Rowhammer-induced memory flip may also halt the machine. This isn't much of a solution. But, if you encrypt your data anyway, and you're finding yourself having to constantly reboot your system for unknown reasons, you might want to check to see if you're under a Rowhammer attack.
Intel also recommends more basic security practices. These are listed in Security Best Practices For Side Channel Resistance and Guidelines For Mitigating Timing Side Channels Against Cryptographic Implementations. They're not Rowhammer specific, but they will help.
All you can really do is buy, or insist your data center or cloud provider buy, the best quality DD4 with TRR enabled. You should also arrange for them to set your machine's memory refresh rate to a high-enough value to keep you and your data safe.
Well, "safe" is a little much to ask for. While vendors insist that Rowhammer isn't that dangerous, I agree with security researchers Onur Mutlu and Jeremie S. Kim that "Rowhammer is a critical problem that manifests in the difficulties in DRAM scaling and is expected to only become worse in the future."
Related reading:
- Rowhammer variant RAMBleed allows attackers to steal secrets from RAM
- Hardware exploits may be a sign of threats to come
- Physical RAM attack can root Android and possibly other devices
- 37 hardware and firmware vulnerabilities: A guide to the threats