Two exploits developed by Google’s Project Zero allow an attacker to take over a system by targeting a physical weakness in DRAM memory
Security researchers at Google have published two proofs of concept that they say are capable of exploiting a physical weakness in commonly used DRAM memory units to gain elevated privileges to a computer system.
The exploits build on research published last year by Carnegie Mellon University and Intel Labs which detailed the weakness, known as the “rowhammer problem”, which is due to the inherent instability of DRAM memory and which Google said is accentuated by the ever-greater miniaturisation of memory units.
While the problem is relatively difficult to exploit for the time being, security experts said the issue could eventually have widespread consequences, in part because implementing a complete fix would require the replacement of billions of dollars of memory hardware.
“Historically, bugs like stack and heap overflows were once considered too random for hackers to predict, but which were then proven to be solidly predictable,” said Rob Graham, chief executive of Errata Security, in a blog post, adding that the rowhammer problem could also become widely exploitable with further development.
Google’s researchers exploited a weakness in commonly used DRAM memory that results from the inherently physically unstable nature of the capacitors out of which the memory is built. This issue means, for instance, that cosmic rays or ambient radiation can corrupt memory.
The rowhammer issue demonstrated last year showed that such memory corruption could be deliberately provoked by repeatedly accessing a given row of memory in a short space of time; this caused sufficient charge to leak from the row that it caused an adjacent row to “flip”, in other words for its value to change from a 1 to a 0, or vice-versa, according to the study.
Google’s researchers demonstrated a way to make use of this effect by targeting particular rows of memory that, when flipped, would allow its code to gain higher privileges. An attacker could use such an outcome to, for instance, run malicious code on a system with administrator privileges, Google said.
Hardware security concerns
Both exploits ran on a Linux laptop using x86-64 processors and a specific type of DDR3 memory, but Google said a variety of platforms are likely to be vulnerable. The memory used in laptops and some lower-end desktops is particularly vulnerable because it lacks the error-correction capabilities found in higher-end desktops and servers, according to the company.
One of the company’s exploits, developed by engineers Mark Seaborn and Thomas Dullien, operated as a module on Google’s own Chrome browser, using a feature called Native Client that allows the browser to run desktop code in a protected environment; the exploit allowed this code to escape the limits of this sandbox. Google said it has altered the Native Client feature to remove the instruction that allowed the exploit to work.
The second exploit runs directly as a Linux process, and gained access to all of the system’s physical memory; Google said this exploit would be more difficult to protect against. The exploits involve accessing particular rows of memory more than 540,000 times within 64 milliseconds.
Google said its research was intended in part to spur the computer hardware industry to be more open about vulnerabilities, and to improve its responsiveness in providing remedies for such bugs.
“Though the industry is less accustomed to hardware bugs than to software bugs, we would like to encourage hardware vendors to take the same approach: thoroughly analyse the security impact of ‘reliability’ issues, provide explanations of impact, offer mitigation strategies and — when possible — supply firmware or BIOS updates,” wrote Seaborn and Dullien in their blog post.
Are you a security pro? Try our quiz!