THROWHAMMER —

Packets over a LAN are all it takes to trigger serious Rowhammer bit flips

The bar for exploiting potentially serious DDR weakness keeps getting lower.

Researchers used a network card like this one in a Rowhammer attack that needed only packets sent over a LAN to work.
Enlarge / Researchers used a network card like this one in a Rowhammer attack that needed only packets sent over a LAN to work.
Mellanox

For the first time, researchers have exploited the Rowhammer memory-chip weakness using nothing more than network packets sent over a local area network. The advance is likely to further lower the bar for triggering bit flips that change critical pieces of data stored on vulnerable computers and servers.

Until now, Rowhammer exploits had to execute code on targeted machines. That hurdle required attackers to either sneak the unprivileged code onto the machines or lure end users to a website that hosted malicious JavaScript. In a paper published Thursday, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed that standard packets sent over networks used by many cloud services, universities, and others were sufficient. The secret to the new technique: increasingly fast network speeds that allow hackers to send specially designed packets in rapid succession.

"Thus far, Rowhammer has been commonly perceived as a dangerous hardware bug that allows attackers capable of executing code on a machine to escalate their privileges," the researchers wrote. "In this paper, we have shown that Rowhammer is much more dangerous and also allows for remote attacks in practical settings. We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network."

The researchers' proof-of-concept exploit—which they dubbed Throwhammer—worked against a Memcached server, which is a distributed memory caching system many websites use to improve performance by reducing the number of times data is pulled from databases or other sources. By obtaining read and write privileges over the server's address space, the attack had the ability to execute code of the researcher's choice, at least when running on memory chips that don't protect against malicious bit flips.

To deliver the packet-only exploit, Throwhammer relies on a technology known as remote direct memory access offered by some of the faster network cards. RDMA allows devices to read or write large amounts of data from or to the memory of another device without involving their CPUs, caches, or other resources. In such cases, an application directly designates space inside the network card to store packets.

Throwhammer works by registering a large amount of memory space called a buffer on the network card of the targeted device. The exploit then uses an attacking machine to request data from various, specially designated buffer locations in rapid succession. The result is the ability to perform highly precise, double-sided Rowhammer attacks similar to previous Rowhammer.js and Flip Feng Shui techniques.

The breakthrough has the potential to drastically increase the threat posed by Rowhammer exploits. In an email, Kaveh Razavi, one of the Throwhammer researchers, wrote:

Imagine an attacker has either rented or compromised a system inside the network. Assuming RDMA support and an RDMA application on the server, Throwhammer can potentially exploit the application by triggering bit flips. This changes the threat model from requiring the attacker to have code execution on the victim (through JavaScript or natively) to merely being able to send network packets to an open port.

Effect on cloud and commodity services

For ethical and legal reasons, the researchers didn't test Throwhammer on commercial cloud services, many of which use error correcting code and other mitigations designed to prevent Rowhammer exploits from working. Razavi said the protections would likely make it much harder for Throwhammer, as it's designed now, to work. But he said it remains unclear how much of a hinderance ECC ultimately will pose for Rowhammer.

Beyond that, Razavi said that Throwhammer raises concerns about commodity 10Gbps networks, which the research shows are fast enough to trigger bit flips.

"My workstation and occasionally laptop (without ECC memory) are connected to such a network through the university LAN," Razavi said. "Exploitation will be harder due to lack of RDMA support though. Remember that for Rowhammer to work, we need to be able to force the system to access two desired memory locations in rapid succession. RDMA makes this part easy, but we think it is a matter of time until [a] more advanced version of our attack relaxes this requirement."

Like most of the Rowhammer exploits demonstrated so far, Throwhammer doesn't pose an immediate threat, mostly because it's too experimental to be used actively and reliably in the wild and also because there are easier ways for malicious hackers to exploit computers. Still, the class of attack may one day pose a significant threat, in part because the only way to fix vulnerable systems is to replace the memory chips they use. For that reason, software and hardware developers should carefully study the research now.

The paper, titled "Throwhammer: Rowhammer Attacks over the Network and Defenses," proposes a practical way to prevent Throwhammer attacks. It works by isolating vulnerable RDMA buffers. Throwhammer will be presented at the 2018 USENIX Annual Technical Conference in July.

Channel Ars Technica