A team of researchers representing several universities has disclosed the details a new type of side-channel attack: Researchers show with RAMBleed that it’s possible to use Rowhammer-style side-channel attacks to read protected memory. RAMBleed takes Rowhammer in a new direction. Rather than using bit flips to alter sensitive data, the new technique exploits the hardware bug to extract sensitive data stored in memory regions that are off-limits to attackers. RAMBleed technique exploits the ever-shrinking dimensions of DRAM chips.
RAMBleed attacks work against devices that use DDR3 and DDR4 memory modules. It does now work older DDR1 and DDR2 seen on old PCss and many embedded systems.RAMBleed side-channel attack works even when DRAM is protected by error-correcting code because unlike Rowhammer, RAMBleed does not require persistent bit flips, and is thus effective against ECC memory commonly used by server computers.
The attack is possible now on some vulnerable Linux systems: Researchers found a way to abuse the Linux buddy allocator to allocate a large block of consecutive physical addresses memory on which they could orchestrate their attack. Researchers designed a new mechanism, which they called “Frame Feng Shui,” for placing victim program pages at a desired location on the physical memory. Researchers developed a new method of arranging data in memory and hammering memory rows to infer what data is located in nearby memory cells, rather than just produce a bit flip from 0 to 1, and vice versa.
The researchers were able to steal 2048-bit RSA crypto key (in this case SSH key but this could have been any crypto key). RAMBleed can potentially read any data stored in memory.
Oracle has released an advisory for RAMBleed and other vendors will likely do the same. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have been demonstrated on TRR, it is harder to accomplish in practice. This does not completely block Rowhammer attacks, but it does make them much more difficult – hopefully difficult enough not to be an issue. Oracle does not believe that additional software patches will need to be produced to address the RAMBleed issues.
Is there a CVE number? Yes, see CVE-2019-0174.