Rowhammer-based RAMBleed exploit lets hackers steal data from memory

Security researchers have revealed an exploit that can be used by hackers to steal data from DRAM, even if ECC protection is in place. RAMBleed is a Rowhammer-based attack that can also be used to alter data and increase privilege levels.

Taking advantage of the design of modern memory chips, a Rowhamer attack works by "hammering" the physical rows of data in quick succession causing bit-flipping in neighboring rows. RAMBleed takes this in a different direction, using a similar technique to access data stored in physical memory.

See also:

• VLC 3.0.7 includes more security fixes than ever thanks to the European Commission
• Google recalls Bluetooth version of Titan Security Key after discovering hacking vulnerability
• Update your Dell computer now to avoid RCE security vulnerability in SupportAssist tool

A team of researchers from the US, Australia and Austria describe RAMBleed as "reading bits in memory without accessing them", going on to say: "RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well".

The team adds:

RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well. Furthermore, unlike Rowhammer, RAMBleed does not require persistent bit flips, and is thus effective against ECC memory commonly used by server computers.

Explaining how the technique works, the researchers say:

Rowhammer induced bit flips are data dependent, i.e. a bit is more likely to flip when the bits above and below it have the opposite charge. This creates a data-dependent side channel, wherein an attacker can deduce the values of bits in nearby rows by observing bit flips in her own memory rows. Finally, as the data in nearby rows might belong to a different process, this leakage breaks the isolation boundaries enforced by the operating system.

To exploit this effect, we developed novel memory massaging techniques to carefully place the victim's secret data in the rows above and below the attacker's memory row. This causes the bit flips in the attacker's rows to depend on the values of the victim's secret data. The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim's secret data.

It is not thought that RAMBleed has ever been exploited in the wild, but the researchers say that the way to mitigate the risk of attack is to upgrade to DDR4 memory with targeted row refresh (TRR) enabled.

Read more about RAMBleed at rambleed.com.