3 is the magic number (of bits): Flip ’em at once and your ECC protection has been Rowhammer’d

Researchers in the Netherlands have discovered that error-correcting code (ECC) protections can be thwarted to perform Rowhammer memory manipulation attacks.

The Vrije Universiteit Amsterdam crew of Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos today said they have developed a method to precisely alter bits in server RAM chips without triggering ECC’s correction mechanism, giving them the ability to tamper with data, inject malicious code and commands, and change access permissions so that passwords, keys, and other secrets can be lifted.

The findings are significant because ECC has long been considered a tried-and-true method for preventing Rowhammer attacks. Thus, a baddie who can leverage the team’s technique on a server to sidestep ECC, could extract information from these high-value targets using Rowhammer. Said miscreant would have to first get into a position where they can flip bits on the vulnerable machine, likely using malware already on the device.

The magic number

The VU Amsterdam team confirmed that the way ECC checks for errors creates an exploitable loophole: when one bit was changed, the ECC system would correct the error. When two were found, ECC would crash the program.

But if three bits could be changed simultaneously, ECC would not catch the modification. This much folks have known about, though the key thing now is that it can be shown to allow Rowhammer attacks through.

Crucially, the researchers found something akin to a race condition that would let them check that a vulnerable address could be usefully manipulated by the triple-flip technique.

“Simply put: it will typically take measurably longer to read from a memory location where a bitflips needs to be corrected, than it takes to read from an address where no correction was needed,” the team explained.

“Thus, we can try each bit in turn, until we find a word in which we could flip three bits that are vulnerable. The final step is then to make all three bits in the two locations different and hammer one final time, to flip all three bits in one go: mission accomplished.”

The researchers said they were able to test and recreate the vulnerability on four different server systems: three running Intel chips and one using AMD. They declined to single out any specific memory brands.

Fortunately, while the attack would be extremely difficult to prevent, it also looks to be very difficult to actually pull off in the wild. Between combing through the various addresses to find vulnerable lines and then actually carrying out the Rowhammer attacks, the VU Amsterdam team said a successful attack in a noisy system can take as long as a week.

The boffins said that their findings should not be taken as a condemnation of ECC either. Rather, it should show admins and security professionals that ECC is just one of several protection layers they should use in combination with things like optimised hardware configurations and careful logging and monitoring.

“ECC cannot stop Rowhammer attacks for all hardware combinations. If the number of bit flips is sufficiently high, ECC will only slow down the attack.”

A paper describing the technique, Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks, will be presented next year at the Symposium on Security and Privacy. The above link to their work should be valid within the next couple of days. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE