The Rowhammer exploit that lets unprivileged attackers corrupt or change data stored in vulnerable memory chips has evolved over the past four years to take on a range of malicious capabilities, including elevating system rights and breaking out of security sandboxes, rooting Android phones, and taking control of supposedly impregnable virtual machines. Now, researchers are unveiling a new attack that uses Rowhammer to extract cryptographic keys or other secrets stored in vulnerable DRAM modules.
Like the previous Rowhammer-based attacks, the new data-pilfering RAMBleed technique exploits the ever-shrinking dimensions of DRAM chips that store data a computer needs to carry out various tasks. Rowhammer attacks work by rapidly accessing—or hammering—physical rows inside vulnerable chips in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. The attacks work because as capacitors become closer together, they more quickly leak the electrical charges that store the bits. At one time, these bit flips were little more than an exotic crashing phenomenon that was known to be triggered only by cosmic rays. But when induced with surgical precision, as researchers have demonstrated over the past four years, Rowhammer can have potentially serious effects on the security of the devices that use the vulnerable chips.
A new side channel
RAMBleed takes Rowhammer in a new direction. Rather than using bit flips to alter sensitive data, the new technique exploits the hardware bug to extract sensitive data stored in memory regions that are off-limits to attackers. The attacks require only that the exploit hammers memory locations the exploit code already has permission to access. Whats more, the data extraction can work even when DRAM protected by error correcting code detects and reverses a malicious bit flip.
Besides opening a previously unknown side channel that allows attackers to deduce sensitive data, the attack also introduces new ways unprivileged exploit code can cause cryptographic keys or other secret data to load into the select DRAM rows that are susceptible to extraction. By combining the memory massaging techniques with this new side-channel attack, the researchers—from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61—were able to extract an RSA 2048-bit signing key from an OpenSSH server using only user-level permissions. In a research paper published on Tuesday, the researchers wrote:
Previous research mostly considers Rowhammer as a threat to data integrity, allowing an unprivileged attacker to modify data without accessing it. With RAMBleed, however, we show that Rowhammer effects also have implications on data confidentiality, allowing an unprivileged attacker to leverage Rowhammer-induced bit flips in order to read the value of neighboring bits. Furthermore, as not every bit in DRAM can be flipped via Rowhammer, we also present novel memory massaging techniques that aim to locate and subsequently exploit Rowhammer flippable bits. This enables the attacker to read otherwise inaccessible information such as secret key bits. Finally, as our techniques only require the attacker to allocate and deallocate memory and to measure instruction timings, RAMBleed allows an unprivileged attacker to read secret data using the default configuration of many systems (e.g., Ubuntu Linux), without requiring any special configurations (e.g., access to pagemap, huge pages, or memory deduplication).
While RAMBleed represents a new threat that hardware and software engineers will be forced to protect against, it seems unlikely that exploits will be carried out in real-world attacks any time soon. Thats because, like most other Rowhammer-based attacks, RAMBleed requires a fair amount of overhead and at least some luck. For determined attackers in the field today, there may be more reliable attacks that achieve the same purpose. While ordinary users shouldnt panic, RAMBleed and the previous attacks it builds on poses a longer-term threat, especially for users of low-cost commodity hardware.
How it works
The key extraction requires that attackers first locate flippable bits in the memory of a targeted computer. This phase required the researchers to spend 34 hours to locate the 84,000 bit flips required to extract the SSH key. The non-trivial investment of time and resources required to template the memory is partly offset by the fact that it can be carried out ahead of time, with only user permissions, and without the need to interact with the SSH app or its secrets or with any other targeted application or its secrets. After the researchers filtered out bits that were useless in extracting the key, they ended up with about 4,200 bits.
RAMBleed then uses a special memory massing technique to cause the SSH key to load into memory locations that have the potential to expose their contents. The goal was to achieve a layout similar to the one shown in the left figure below, which correspond to the 8KiB pages needed for two Rowhammer variations. The first uses double-sided accesses and the second single-sided accesses. While RAMBleed works best in the double-sided version, due to noise from other system activity, the memory configuration sometimes results in a single sided-case (right version in the below figure).
With that in place, RAMBleed hammers the A0 and A2 activation pages shown in the figure. The attack was able to recover 68 percent of the targeted SSH key, or about 4,200 key bits, at a rate of 0.31 bit per second, and with an accuracy rate of 82%. In an email, Andrew Kwong, one of the University of Michigan researchers who wrote the paper, explained:
It takes us almost four hours to complete the reading phase. We actually don't need the key to remain in memory for any long period of time; OpenSSH will allocate a new page containing the key every time the attacker makes an SSH connection to the victim. If we make two connections in parallel, there are then two copies of the key in memory, which we then use for hammering and to read a single bit. We then close those SSH connections, so that there are no copies of the key in memory. We repeat this process to read each bit. Thus, the key is only in memory for ~3 seconds at a time, and we can force the victim to bring the key back into memory by making an SSH connection. We carried out our attack on an Ubuntu installation with default settings, without any special configurations.
The researchers then ran the recovered bits through the Heninger-Shacham algorithm, which allows the recovery of RSA keys from partial information. The result: the researchers were able to achieve complete key recovery
The Rowhammer-enabled side-channel exploits a physical phenomenon in DRAM chips wherein the likelihood of bit flips depends on the values of bits immediately above and below it. That is, bits tend to flip to the same value of the bits in adjacent rows.
“The main observation behind RAMBleed is that bit flips depend not only on the bits orientation, i.e., whether it flips from 1 to 0 or from 0 to 1, but also on the values of neighboring bits,” the researchers reported in their paper. “Specifically, true bits tend to flip from 1 to 0 when the bits above and below them are 0, but not when the bits above and below them are 1. Similarly, anti bits tend to flip from 0 to 1 when the bits above and below them are 1, but not when the bits above and below them are 0.”
RAMBleed works by hammering the activation memory rows (A0 and A2 in the figure displayed above) of carefully arranged memory contents. The resulting bit flips allow the researchers to deduce the values of the secret bits. Repeating this procedure with bit flips at various offsets in the page allows the researchers to recover enough bits to construct the full key.
ECC is not an absolute defense
The researchers said RAMBleed is able to bypass ECC, or error-correcting code protections, built into some types of DRAM chips. When corrections occur, they happen in a predictable way that first corrects the error and then passes the corRead More – Source