November 22, 2018 // 11 a.m.
Researchers from Vrije Universiteit Amsterdam have published a means of extending the Rowhammer memory vulnerability, in which memory bit-flips are selectively triggered to overwrite protected locations and compromise the host system, to cover error correcting code (ECC) DRAM for the first time.
First published in 2014, the Rowhammer attack relies on a tendency for DRAM to flip bits - turning a 0 into a 1 or vice-versa - in particular locations while reading from or writing to a completely different location. Although unusual during regular use, researchers discovered that these bit-flips could be selectively triggered and used by a malicious application to affect memory in supposedly-protected locations - eventually crashing or, worse, taking control of the host system.
As a hardware issue, Rowhammer attacks proved difficult to protect against, but for data centre and workstation users there was one mitigation: error correcting code (ECC) memory, which uses additional hardware to detect bit-flips and return them to their original state before the memory location is read. 'Every time we gave a presentation about Rowhammer attacks, someone in the audience would ask: "But surely, ECC memory will stop this,"' explain the researchers who have now extended Rowhammer considerably. 'We now know the answer. "No."'
Dubbed ECCploit, the newly attack combines Rowhammer with a side-channel timing attack: 'Simply put: it will typically take measurably longer to read from a memory location where a bitflips needs to be corrected, than it takes to read from an address where no correction was needed,' the team explains. 'Thus, we can try each bit in turn, until we find a word in which we could flip three bits that are vulnerable. The final step is then to make all three bits in the two locations different and hammer one final time, to flip all three bits in one go: mission accomplished.'
The exploit doesn't entirely prove ECC useless against Rowhammer-based attacks, though: The team admits that it significantly extends the time it takes to carry out a successful exploitation, with an attack taking up to a full week if relying on the side-channel timing information on a system with coarse-grained or noisy timing. As a result, the use of hardware ECC - combined with software-based ECC in which bit-flip rates can be monitored for abnormalities - is still recommended.