Researchers take advantage of physical DDR3 memory shortcomings

Spread the love

Google researchers have managed to manipulate bits in memory on an x64 system with ddr3 memory by exploiting flaws in physical memory. By repeatedly approaching certain places in the memory, adjacent bits can be ‘flipped’.

The attack could allow a process with normal user rights to gain write access to other, protected areas of memory. This is what the researchers of Google’s Project Zero write. This would allow attackers with normal user rights, for example, to gain root access, bypass a sandbox or even break out of a virtual machine.

The problem that the Google researchers are exploiting is not in the software, but in the physical memory. Because memory is made on a smaller scale and memory cells are closer together, the electrical charge of bits in the memory can ‘leak’ to adjacent bits. It had been known for some time that this was possible, but the Google researchers made two proof-of-concepts to show how this can be abused in concrete terms. To do this, attackers have to access memory tens of thousands of times in less than a second, which can cause adjacent bits to flip.

The ram hackers, who have named their hack Rowhammer, did their research on a x64 Linux system, but in principle the hack is not tied to any particular instruction set or operating system. The researchers did rely on a specific instruction from the x86 instruction set, clflush, to bypass the cache and directly access memory tens of thousands of times, but similar instructions in other instruction sets would also be useful.

The vulnerability is present in various DDR3 memory sticks, although the Google researchers do not indicate which models and manufacturers are vulnerable. It is clear that ddr4 memory is not vulnerable, as is memory with error correcting code. The researchers have created a tool that allows users to test whether their PC has been affected, although the researchers warn that the test is not foolproof: if the tool indicates that a PC has not been affected, that does not mean that the attack has not been carried out in some other way. can be set up. They tested a number of laptops themselves, some of which were vulnerable. The researchers have not yet found any vulnerable desktops.

The researchers made two proof-of-concepts. In the first case, it was a tool in Native Client, a part of Chrome that allows websites to run compiled code in a web browser. The exploit managed to “break” out of the Native Client sandbox, allowing it to communicate directly with the operating system’s memory. This exploit has since been defused, although it is unclear whether the patch has reached the stable version of Chrome yet.

In addition, the researchers created an exploit that runs like a normal x64 process, but manages to gain higher user rights and thus gain access to the entire memory. According to the researchers, this problem is more difficult to solve with existing hardware. Replacing vulnerable ddr3 strips with unaffected memory does help.

You might also like