A new side-channel exploit against dynamic random-access memory (DRAM) has been discovered. The attack, which is dubbed RAMBleed allows malicious programs to read sensitive memory data from other processes running on the same hardware.
RAMBleed has been identified as CVE-2019-0174. In fact, RAMBleed is based on a previous exploit known as Rowhammer which has had different versions in the past.
CVE-2019-0174: RAMBleed Description
The Rowhammer bug is a reliability issue in DRAM cells that can enable an unprivileged adversary to flip the values of bits in neighboring rows on the memory module. Previous work has exploited this for various types of fault attacks across security boundaries, where the attacker flips inaccessible bits, often resulting in privilege escalation. It is wide assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations.
A team of researchers from University of Michigan, Graz University of Technology, and University of Adelaide and Data61 demonstrate that this assumption is incorrect by utilizing Rowhammer as a read side channel. Their paper is titled “RAMBleed: Reading Bits in Memory Without Accessing Them”.
The researchers’ work reveals how an unprivileged threat actor can exploit the data dependence between Rowhammer-induced bit flips and the bits in nearby rows to deduce these bits, including values that belong to other processes as well as the kernel.
In short, Rowhammer is a fault attack where the attacker utilizes a specific sequence of memory accesses that results in bit flips, such as changes in bit values, in locations other than those accessed. Because the attacker does not directly access the changed memory location, the change is not visible to the processor or the operating system, and is not subject to any permission checks, the researchers said.
With RAMBleed, however, it’s now known that Rowhammer also affect data confidentiality by allowing an unprivileged attacker to leverage Rowhammer-induced bit flips to read the value of nearby bits.
Furthermore, as not every bit in DRAM can be flipped via Rowhammer, the researchers “also present novel memory massaging techniques that aim to locate and subsequently exploit Rowhammer flippable bits. This enables the attacker to read otherwise inaccessible information such as secret key bits“.
Moreover, the RAMBleed bug would allow an unprivileged attacker to read secret data via the default configuration of a range of systems such as UbuntuLinux, without requiring any special configurations.
Full technical disclosure of CVE-2019-0174 is available in the original paper.