The data theft technique called "Rowhammer" has fascinated and worried the cybersecurity community for years now, because it combines digital and physical hacking in ways that are both fascinating and unaccounted for. Since its discovery, researchers have steadily refined the attack, and expanded the array of targets it works against. Now, researchers have significantly increased the scope of the potential threat to include critical devices like servers and routers—even when they have components that were specifically thought to be immune.
Rowhammer attacks are fiendishly technical. They involve strategically executing a program over and over on a "row" of transistors in a computer's memory chip. The idea is to "hammer" that row, until it leaks some electricity into the adjacent row. That leakage can cause a bit in the target row to "flip" from one position to another, slightly altering the data stored in memory. A skilled Rowhammer attacker can then start to exploit these tiny data changes to gain more system access. See? It's pretty bonkers.
"It’s not really that straightforward how to mitigate it."
Lucian Cojocar, VUSec
Previously, Rowhammer was understood to impact typical random access memory used in many off-the-shelf computers. Rowhammer has also been shown to threaten the memory in Android phones. But on Wednesday, researchers in the VUSec research group at Vrije Universiteit in Amsterdam published details of a next-generation Rowhammer ambush that can target what's known as "error-correcting code" memory. ECC memory was previously thought to preempt Rowhammer's data manipulations, because it has redundancies and self-correcting mechanisms that deal with data corruption. ECC memory is used in systems that need exceptional reliability and can't tolerate inaccuracies, like financial platforms.
The researchers note that ECC memory really did defeat past versions of Rowhammer attacks, but in studying ECC implementations they found that they could finesse established Rowhammer methods to work against ECC as well. As with all Rowhammer work, the ECC attack is difficult to defend against without literally redesigning and replacing memory chips.
"ECC is not really completely broken; it still gets you reliability," says Lucian Cojocar, one the Vrije researchers who participated in the work. "Even our group reports several possible software defenses. But we've found that the normal Rowhammer attack is reproducible for ECC. It’s not really that straightforward how to mitigate it."
Flips and Bits
The difficulty in hacking ECC is finding a way around the memory's built-in defenses. The first step of any Rowhammer attack is a reconnaissance phase called "templating," during which an attacker quietly probes to identify which bits will be flippable before regrouping to actually initiate the changes. ECC memory makes templating harder, because if an attacker flips one bit the system will automatically change it back, making it difficult to detect the vulnerable bit's location. And if the attacker instead flips two bits, the memory will crash the program. But the VUSec researchers found that if they flip three bits simultaneously, ECC won't spot the change.
The challenge then becomes tracking which bits are flippable, when ECC memory corrects them so quickly. But the researchers discovered an unintended indicator: The time it takes to access a memory location in which a bit has been corrected is different than the access time for unaffected spots. So the researchers use this "side channel" signal to map their target bits. From there, they can template systematically and deliberately to find three vulnerable bits without accidentally flipping two at once. As a result of this involved mapping process, the researchers estimate that a real Rowhammer attack on ECC memory could take as long as a week. But during most of that time the attackers would be in the relatively inconspicuous templating phase.
"It takes longer and there are fewer templates you can find that are good enough to do the attack, which means you have fewer opportunities for exploitation," says Cristiano Giuffrida, who also worked on the research. "But even with fewer templates we've found that they are typically good enough to reproduce all the existing Rowhammer attacks."
A Concerning Development
Undermining ECC memory's data integrity presents a real problem; it's that feature that makes it an attractive underpinning for massive cloud services, research systems, and critical infrastructure. Worse, the researchers point out that ECC memory is also increasingly found in a diverse array of Internet of Things devices, albeit for a totally separate reason. The memory is useful for power-limited devices—like anything running off a battery—because it can correct itself off of its stored data redundancies without needing to use as much power as normal random access memory for refreshing.
The combination of high-reliability systems and low-power systems means that vulnerable ECC memory is likely present in devices all around you. "These findings are concerning," says Ang Cui, an embedded device security researcher and founder of the IoT defense firm Red Balloon. "Most computers in the infrastructure—like servers, routers, and firewalls—use ECC memory, so to be able to reach those devices with Rowhammer is a noteworthy development."
A successful Rowhammer attack against a system that uses ECC would intentionally and strategically corrupt memory to potentially compromise data, undermine security protections, and allow an attacker to gain more access. The researchers say such an attack could even be done remotely, without physical access to the target system.
Both in terms of the attack and possible defenses, there is still a lot that is unknown, because ECC chips, their implementation, and the devices they work in are all generally proprietary. The researchers say that the most resource-intensive and challenging part of the project was reverse engineering examples of ECC memory to get enough of an understanding of how it works. And it could be that ECC mechanisms even exist in memory chips that aren't marketed as having those capabilities.
"The ECC implementation that we studied is slightly more documented in practice, but the industry is reluctant to release specifications," Giuffrida says. "It's possible that ECC has been deployed in ways we have no evidence of, which means it’s possible that the attack surface is even bigger than it seems. People said Rowhammer was going to solve itself because of ECC, but this is worrisome."