Give 'em the Hammer
Drammer, a deterministic row hammer exploit, was just released at ACM CCS on Wednesday. This is a particularly interesting vulnerability.
Join the DZone community and get the full member experience.Join For Free
Drammer, a deterministic row hammer exploit, was just released at ACM CCS on Wednesday. This is a particularly interesting vulnerability - most vulnerabilities are purely software flaws. Things like buffer overflows, integer underflows, lack of appropriate compiler protections, that kind of thing.
Row hammer isn't like that.
Row hammer is a hardware flaw in modern DRAM chips. It's relatively rare, but common enough to be likely resident in every mobile device. Essentially, the chips leak charge between memory cells, and it's possible to leak enough charge from one to change the value of another, flipping a bit. Folks used to feel that yes, this is a flaw, but we don't know where and when it'll happen, so we really don't have to worry about it from a security perspective. We'll make sure the next generation of memory chips doesn't have this flaw, and we'll move on.
Well, not anymore.
The team, consisting of researchers from the US and Europe, were able to demonstrate how they could specifically flip bits in kernel data structures using this exploit. They took advantage of a few things - detailed understanding of Linux memory allocation algorithms as well as the row hammer flaw itself. Basically, instead of flipping bits where the kernel has stored data, then force the kernel to move data into a space where they can flip bits. There are three basic steps to the exploit: (1) find a susceptible memory cell, (2) groom the heap so that the kernel is forced to use memory that you can change, and (3) profit (I think that last step may contain a few substeps, but that's the gist of it).
The first two steps are very interesting. The first step involves hammering memory in a traditional row hammer attack and scanning all available physical memory this way. Eventually, you'll find a cell or two you can flip. Then, you groom the physical layout of memory allocated by the heap in a very particular way, leaving only enough physical memory behind to that the kernel can allocate page information. Then you force a page allocation, and the kernel will use the memory section you've reserved for the new page. Now, you flip the vulnerable bit(s) to give yourself access to that memory, and you can move onto the third step.
The problem with this flaw is that it's a hardware flaw. It's not fixable through software, not really (you could change memory allocation algorithms, but that's really about it, and it's not likely to be very effective). And it affects just about every mobile device out there today. The team that presented the exploit used Android and Linux, but iPhones use the same kind of memory, so even though the team didn't use them for a proof of concept, I expect they're vulnerable to the exploit too. This includes the iPhone 7 too.
As of today, every mobile phone on the market is vulnerable to compromise. And, really, nobody can do anything about it. I'm upgrading my phone soon — you should too.
Opinions expressed by DZone contributors are their own.