Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram ThePornDude
Home Artists Posts Import Register

What You Should Know about RAMBleed - Threatwire Crosspost (Patreon)

Published:
2019-06-18 16:59:12
Imported:
2023-11
Tags:

Downloads

Content

By Shannon Morse, Threatwire 

Rowhammer was a 2015 flaw that could repeatedly access rows of cells of memory in DRAM to introduce bit flips, which means the cell would flip from one state to another.  The bit flips would happen in adjacent rows too, not just the one being attacked. This could allow an attacker to do privilege escalation attacks and device takeovers. Since that time, Rowhammer has been used as the basis for a series of attacks, most recently being one discovered by University of Michigan, University of Adelaide, and Graz University of Technology researchers in a combined effort.  This new attack, dubbed RAMBleed, allows an attacker to read memory data without ever accessing the memory itself. It’s a side-channel attack which will allow an attacker to read out physical memory that belongs to other processes. The researchers do not believe this has been used in the wild as of this time.

RAMBleed which is CVE-2019-0174, reads the bits of data that ‘bleed’ from the RAM when Rowhammer is causing bit flips in the memory, by determining the values in nearby DRAM rows in the physical memory of the victim computer. Bit flips in one channel cause the data in side channels to also flip and if the data in those side channels belongs to different processes, the operating system will leak data from those RAM modules.

While Rowhammer caused issues with integrity of a machine, RAMBleed causes problems with confidentiality. Since it is used to read side channel, it doesn’t require the bit flips to be persistent. An attacker would just need to know a bit flip occurred at some point to then look for a leak of data.

While the actual implications vary because it all depends on what kind of software is running on a target machine (which determines what kind of data an attacker could gain access to), the researchers included a proof of concept in which they were able to do an end to end attack to read the OpenSSH 2048 bit RSA key of the target. This does not mean that Open SSH keys are vulnerable - it means that a local attacker could use RAMBleed to access almost any data stored in the memory of a computer.

The researchers explain that this can be used against ECC memory which is popular amongst many manufacturers. It affects DDR3 and DDR4, though if you have TRR (targeted row refresh) enabled, the process is tougher to accomplish, but also affects mobile devices, laptops, servers, and desktops.

The researchers paper is linked, and they recommend mitigating these techniques by upgrading to DDR4 with TRR enabled (since it’s harder to hack than DDR3 or DDR4 without targeted row refresh enabled). They also recommend manufacturers test for this issue, and publicly document TRR implementations. Since this requires local access, the vulnerability is considered low-severity.

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

Links:

https://access.redhat.com/articles/1377393 

https://rambleed.com/

https://rambleed.com/docs/20190603-rambleed-web.pdf 

https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/ 

https://threatpost.com/rambleed-side-channel-privileged-memory/145629/ 

https://thehackernews.com/2019/06/rambleed-dram-attack.html


Comments

Anonymous

Tom, is there anything we could do to boost the volume on these Threatwire segments? I love the content, and all Shannon does in general, but I have to crank the volume on these most weeks and then get blasted by volume when the regular DTNS resumes afterwards.