Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.
A few days ago security experts announced the first network-based remote Rowhammer attack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.
The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.
To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.
Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.
A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.
“Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paper published by the experts.
The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.
The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.
“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”
Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.
“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.”
The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.
The experts successfully demonstrated three different cache bypasses for Nethammer technique:
- A kernel driver that flushes (and reloads) an address whenever a packet is received.
- Intel Xeon CPUs with Intel CAT for fast cache eviction
- Uncached memory on an ARM-based mobile device.
The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.
The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.
Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.
Further details on the Rowhammer attack are reported in my post titled “The Rowhammer: the Evolution of a Dangerous Attack”