Understanding the RAMBleed Exploit [cylance]
by CIRT Team
Side-channel attacks are some of the scariest exploits ever. They don’t usually exploit vulnerabilities in code, they exploit the fundamental implementation of computer systems themselves. Therefore, they’re often hardware-based.
Dynamic random-access memory, or DRAM for short, is one of the most common types of memory found in modern computers used by both consumers and businesses. For example, the memory in an x86-64 based PC, such as one based on an Intel Core i7 CPU, is typically DRAM. The same goes for the memory in popular devices like video game consoles. DRAM is frequently used in the computers we see every day because it can be made to be high-capacity for limited cost.
There’s one major physical problem with DRAM, and that’s the rowhammer vulnerability. Because of how DRAM (DDR) works, its individual memory cells can leak their charges and interact electrically between themselves.
Applications and specific operating system processes are authorized to access only certain parts of your computer’s memory. For example, my web browser is supposed to access some memory addresses, and the part of my operating system that executes new applications is supposed to access other memory addresses. Think of four poker players sitting at a table, and each player is only allowed to see what’s in their own hand. But if one of the poker players falls off of their chair and towards the table, they can also knock over one of their neighboring players and see which cards are in their hand. Very clever!
Dan Goodin did an excellent job of explaining rowhammer attacks a few years ago:
“DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a ‘sandbox’ that can be accessed only by a given app or OS process. Bit flipping works when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two ‘aggressor’ memory regions, the exploit can reverse one or more bits in a third ‘victim’ location. In other words, selected zeros in the victim region will turn into ones or vice versa.
The ability to alter the contents of forbidden memory regions has far-reaching consequences. It can allow a user or application who has extremely limited system privileges to gain unfettered administrative control. From there, a hacker may be able to execute malicious code or hijack the operations of other users or software programs. Such elevation-of-privilege hacks are especially potent on servers available in data centers that are available to multiple customers.”
For more, click here.