Several security researchers published a paper, introduces a bit flip-based vulnerability Rowhammer, and its threat to the absence of extended memory leaks in the field of information technology RAMBleed from memory integrity, suggesting that the ability to use far beyond the current bit flip people imagination.
RAMBleed is a side-channel attack, an attacker can read the other processes in physical memory. The researchers introduced the use of this technology a few years ago appeared a bit flip vulnerability Rowhammer, this is a fault attack, the attacker uses a particular memory access sequence, so that the memory bit flip occurs, which is the bit value (0/1 )change. Since the attacker does not directly access a memory location changes, so the CPU or operating system is generally not aware of the problem. Although this technology is not very good control bit flip, but its capacity has been used in the sandbox escape, mention the right to attack the operating system and virtual machine management program, DoS and encrypted protocol fault injection attacks.
People used to think Rowhammer attacks are only able to undermine the integrity of memory , that is, the attacker uses Rowhammer the limited write primitive get to other memory can not be accessed, and then modify the contents of the memory, and the memory simply by integrity checks can mitigate this attack, such as the use of memory in order to protect the integrity of the target memory or memory with Error correction code (ECC) of. Especially the error correction code technology, has been considered an effective means of preventing Rowhammer, it can be corrected at the time of bit flip. Although recent evidence suggests that an attacker can bypass the ECC mechanism so that the bit can still be observed after correction flip, flip correct but success is still considered benign, there is no security risk.
But researchers believe that this idea is not reliable, then ask two questions papers:
- Whether the threat Rowhammer constituted only memory integrity missing?
- What correction bit flip security risks that? Even ECC memory corrects all flipping bits, if an attacker can use to destroy Rowhammer confidentiality?
结果表明位翻转的利用能力远超出当前人们的想象,位翻转漏洞 Rowhammer 的威胁不仅仅是内存完整性缺失,它还可以用于获取内存信息。
研究人员研究出了一种 RAMBleed 攻击方法,这是一种侧信道攻击,通过观察 Rowhammer 引发的位翻转,可以推断出附近 DRAM 行中的值,因此可以读出属于其它进程的物理内存,论文中他们还演示了使用 RAMBleed 对 OpenSSH 的攻击,并成功获取了泄漏的 2048 位 RSA 密钥。
此外,与 Rowhammer 不同,RAMBleed 不需要持久的位翻转,因此服务器机器常用的 ECC 内存对于缓解该攻击是无效的。
研究人员将在 2020 年 5 月举行的第 41 届 IEEE 安全和隐私研讨会上发表题为“RAMBleed:在没有访问它们的情况下读取内存位”(RAMBleed: Reading Bits in Memory Without Accessing Them)的论文,进一步介绍该攻击手法。
论文地址:https://rambleed.com