Yesterday, researchers from theVrije Universiteit Amsterdam’sVUSecgroup announced that the newRowhammerattack, known asECCploit, bypasses ECC protections built into several widely used models of DDR3 chips.
The researchers in their paper titled, ‘ Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks ’write,“Many believed thatRowhammeron ECC memory, even if plausible in theory, is simply impractical. This paper shows this to be false: while harder,Rowhammerattacks are still a realistic threat even to modern ECC-equipped systems.”
TheRowhammerattack, discovered way back in the year 2015, exploits unfixable physical weakness in the silicon of certain types of memory chips and transforms the data they store. As a defense against this attack, researchers developed an enhancement known aserror-correcting code (ECC). This ECC, present inhigher-end chips,was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa.
“Rowhammercan flip bits in ways that have major consequences for security, for instance, by allowing an untrusted app to gain full administrative rights, breaking out of security sandboxes or virtual-machine hypervisors, or rooting devices running the vulnerable DIMM.”
KavehRazavi, one of theVUSecresearchers who developed the exploit, said, “ECCploitshows for the first time that it is possible to mount practicalRowhammerattacks on vulnerable ECC DRAM.”Working of ECC
ECC uses memory words for storing redundantcontrol bits next to the data bits inside the DIMMs. Further, CPUs use these words to quickly detect and repair flipped bits.The prime motive of ECC design was toprotect against a naturally occurring phenomenon in which cosmic rays flip bits in newer DIMMs.
Post Rowhammer’sappearance in 2015, ECC rose to popularity as it wasarguablythe most effective defense against the attack. However, there are some limitations to ECC, which includes:ECC generally adds enough redundancy to repair single bitflips in a 64-bit word When two bitflips occur in a word, it will cause the underlying program or process to crash When three bitflips occur in the right places, ECC can be completely bypassed
According to Ars Technica, “TheVUSecresearchers spent months reverse-engineering the process, in part by using syringe needles to inject faults into chips and subjecting chips to a cold-boot attack . By extracting data stored inside the supercooled chips as they experienced the errors, the researchers were able to learn how computer memory controllers processed ECC control bits.”
Following is a video of the researchers using the cold-boot technique
The researchersthusdemonstrated that ECC merely slows down theRowhammerattack and is not enough to stop it. TheytestedECCploiton four hardware platforms, including:AMD Opteron 6376 Bulldozer (15h) Intel Xeon E3-1270 v3 Haswell Intel Xeon E5-2650 v1 Sandy Bridge Intel Xeon E5-2620 v1 Sandy Bridge
Theysaid, “they tested several memory modules from different manufacturers”. They alsoconfirmed that a significant amount ofRowhammerbitflips occurred in a type of DIMM tested by a different team of researchers .Are all DDR chips affected?
The researchers haven’t demonstrated thatECCploitworks against ECC in DDR4 chips, a newer type of memory chip favored by higher-end cloud services. The paper also doesn’t show thatECCploitcan penetrate hypervisors or secondaryRowhammerdefenses. There’s also no indication thatECCploitworks reliably against endpoints typically used in cloud environments such as AWS or Microsoft Azure.
To know more about this in detail, visit Ars Technica blog.Read Next
Seven new Spectre and Meltdown attacks found
Security issues in nginx HTTP/2 implementation expose nginx servers to DoS attackWeaponizing PowerShell with Metasploit and how to defend against PowerShell attacks [Tutorial]