Rowhammer variant RAMBleed allows attackers to steal secrets from RAM
Researchers have devised a new attack that allows unprivileged code running on computers to steal secrets, such as cryptographic keys, that are stored in what should be protected memory regions. The attack is possible because of a known design issue with modern DRAM chips that has been exploited in the past to modify protected data.
Dubbed RAMBleed, the new attack is the work of researchers Andrew Kwong and Daniel Genkin from the University of Michigan, Daniel Gruss from the Graz University of Technology and Yuval Yarom from University of Adelaide and Data61. Using the new technique, the researchers were able to extract an RSA 2048-bit signing key from an OpenSSH server using code running with user-level privileges.
Under Linux's security model, and that of most modern operating systems, this should not be possible because OpenSSH runs as a system service and its memory is isolated and protected from userspace applications, along with the kernel's memory. Any unauthorized violation of that security boundary is a serious vulnerability because many applications rely on the kernel to protect their secrets, such as encryption keys and passwords.
RAMBleed: Another hardware design flaw
RAMBleed is a variation of another attack called Rowhammer that has been known for several years and which exploits the increased cell density in DDR3 and DDR4 SDRAM memory chips. SDRAM chips store information as electric charges inside cells that are arranged in rows. A cell's charge or discharge state determines whether the value stored inside is a 1 or a 0, which represent bits.
Other researchers have determined in the past that repeated read operations of the same physical row of memory cells - dubbed hammering - could cause their electric charges to leak into adjacent rows, modifying the value of the cells in those rows. This is possible because in modern SDRAM chips the cells are very small and tightly packed together.
If achieved in a controlled manner, this "row hammering" effect and the resulting data modification can have security implications. Rowhammer attacks demonstrated so far can be used to achieve privilege escalation, break out of software sandboxes or crash systems.
While based on the same row hammering concept, RAMBleed is different because instead of modifying data, it uses a side-channel to extract data from other rows. In other words, RAMBleed is the first Rowhammer-type attack that affects the confidentiality of data stored in memory cells instead of its integrity.
The team of researchers behind RAMBleed proved that their attack works even against SDRAM chips that have error-correcting code (ECC) capabilities. ECC memory is typically used in servers and high-assurance systems and has been considered a defense against Rowhammer attacks until now. That's because even if the physical Rowhammer effect still happens, the corrected bits can't be used reliably for security exploits, but that was only true for data modification.
"Remarkably, RAMBleed can break memory confidentiality of ECC memory, even if all bit flips are successfully corrected by the ECC mechanism," the researchers wrote in their paper. "After profiling the target's memory, we show how RAMBleed can leak secrets stored within the target's physical memory, achieving a read speed of about three to four bits per second."
Kwong tells CSO that their attack was only tested and confirmed on DDR3 SDRAM so far, but that testing on DDR4 is being planned. The team has notified Intel, AMD, OpenSSH, Microsoft, Apple and Red Hat about their findings and the CVE-2019-0174 vulnerability identifier was assigned to the issue.
Past Rowhammer attacks have had variants that worked remotely through the browser or through network packets, but the RAMBleed attack, at least in it's proof-of-concept version, relies on code running on the local machine. That's not a big limitation, however, since local code execution can be achieved through malware infection or through a vulnerability in some other application and elevated privileges are not required for the attack to work.
According to Kwong, existing OS-level exploit mitigations like kernel address space layout randomization (KASLR) do not prevent the attack. However, individual software applications such as OpenSSH can use certain techniques to protect their secrets in memory and make them harder to steal, like adding buffers around them to make them larger.
"RAMBleed can bypass software-based integrity checks that might be applied to the target, such as using message authentication codes (MAC) to protect the target's data," the researchers said in their paper. "Moreover, techniques designed to protect cryptographic systems against fault attacks (such as Shamir's countermeasure) are also ineffective as they again protect the integrity of the cryptographic computation and not its confidentiality. Other software defenses, such as Brasser et al.'s memory partitioning scheme do not mitigate our attack, as we are not trying to read from kernel memory."
Intel released a security advisory about the vulnerability and rates it as low impact -- 3.8 on the CVSS scale -- at least as it relates to its processors and the way they handle memory. "For published exploits that Intel is aware of, Intel recommends users follow existing best practices including: The use of DRAM modules resistant to Rowhammer style attacks," the company said.
Red Hat has added the vulnerability to its knowledge base article on Rowhammer and cites several proposed hardware-based mitigations: Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate) and use of ECC memory. "The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific," the company said. "Vendors are anticipated to provide suitable platform specific guidance."
Ultimately, complete mitigation, just like with the recent vulnerabilities found in CPUs, will require hardware reengineering so they'll become available in future generations of SDRAM chips. But, there's no guarantee that other variations or improvements to this attack won't be discovered in the future. There's a common saying in the security community: Attacks always get better; never worse.
"I think we've only seen the tip of the iceberg giving how many hardware attacks have come out only over the past year, so there's likely more things to come," Kwong says. "The security research community has been probing at software for much longer and it's only recently that there's been a big interest in hardware, so we can expect to see a similar evolution in hardware security going forward."