Towards the end of every week we generally take a bit of a gander and see what’s going on in the news… you know, keeps the focus. Anyway, last week I stumbled on something that made enough of an impression to warrant (some) further investigation. A site whose content we often share in our weekly roundup, BleepingComputer, published an article based off an academic paper put together by researchers from de Vrije University in Holland and the University of Cyprus. The paper discusses Rowhammer vulnerabilities, and identifies a new type of attack they aptly named Throwhammer — more on that later.
First things first, what is a Rowhammer attack?
In their paper titled Throwhammer: Rowhammer Attacks over the Network and Defenses, the merry band of academics explain: “Rowhammer allows attackers to flip a bit in one physical memory location by aggressively reading (or writing) other locations (i.e. hammering). As bit flips occur at the physical level, they are beyond the control of the operating system and may well cross security domains. A Rowhammer attack requires the ability to hammer memory sufficiently fast to trigger bit flips in the victim.”
Basically, a Rowhammer attack kicks off by leaking memory addresses and then hammering a row of memory cells to induce 0/1 bit flips in nearby memory cells, subsequently modifying data stored inside a computer’s RAM.
As things currently stand, Rowhammer attacks are believed to be limited by the attacker’s need to obtain code execution on the victim machine, in order to be able to exploit Rowhammer — either by having (unprivileged) code execution on the victim machine or by luring the victim to a website that employs a malicious JavaScript application –. The researchers took another stab at that assumption and explain how an attacker “can trigger and exploit Rowhammer bit flips directly from a remote machine by only sending network packets.”
Here’s How
Throwhammer “is made possible by increasingly fast, RDMA-enabled networks, which are in wide use in clouds and data centers. To demonstrate the new threat, we show how a malicious client can exploit Rowhammer bit flips to gain code execution on a remote key-value server application,” the paper explains.
RDMA or Remote Direct Memory Access exposes a computer’s memory directly over the network without involving the CPU and the machine’s OS, facilitating the processing of more packets than older network cards. RDMA-enabled network cards are common in large computer clusters, and especially cloud computing data centers. The research shows that Rowhammer attacks have become easier and more convenient to launch, because attackers can now bombard your network card with specially crafted packets, instead of taking the long way around.
So, how do you protect against Throwhammer?
Well, they wouldn’t be very good researchers if they didn’t come up with at least one solution now would they?
“To counter this threat, we propose protecting unmodified applications with a new buffer allocator that is capable of fine-grained memory isolation in the DRAM address space. Using two real-world applications, we show that this defense is practical, self-contained, and can efficiently stop remote Rowhammer attacks by surgically isolating memory buffers that are exposed to untrusted network input.”
Rowhammer can no longer be seen as just a bug that allows attackers to execute code on another machine in order to augment their own privileges. The fact that Throwhammer attacks can be executed on remote machines from across the network highlights the diversity of cybersecurity threats and the need to keep innovating to counter them.
Try Imperva for Free
Protect your business for 30 days on Imperva.