The “Rowhammer” privledge escalation vulnerability in DRAM devices is caused by a process called ‘bit flipping’. Bit flipping is when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two “aggressor” memory regions, the exploit can reverse one or more bits in a third “victim” location.
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a “sandbox” that can be accessed only by a given app or OS process.
Bit flipping technique shouldn’t be confused with Buffer overflow or use-after-free memory corruption techniques where an attacker funnels malicious shellcode into protected regions of victim’s computer.
+Test if your system is vulnerable:
- https://github.com/google/rowhammer-test
- https://code.google.com/p/google-security-research/issues/detail?id=284
- https://code.google.com/p/google-security-research/issues/detail?id=283
Sources:
http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf
http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html