Researchers use Rowhammer bit flips to steal 2048-bit crypto key

A DDR3 DIMM with error-correcting code from Samsung. ECC is no longer an absolute defense against Rowhammer attacks.

Enlarge / A DDR3 DIMM with error-correcting code from Samsung. ECC is no longer an absolute defense against Rowhammer attacks.

The Rowhammer exploit that lets unprivileged attackers corrupt or change data stored in vulnerable memory chips has evolved over the past four years to take on a range of malicious capabilities, including elevating system rights and breaking out of security sandboxes, rooting Android phones, and taking control of supposedly impregnable virtual machines. Now, researchers are unveiling a new attack that uses Rowhammer to extract cryptographic keys or other secrets stored in vulnerable DRAM modules.

Like the previous Rowhammer-based attacks, the new data-pilfering RAMBleed technique exploits the ever-shrinking dimensions of DRAM chips that store data a computer needs to carry out various tasks. Rowhammer attacks work by rapidly accessing—or hammering—physical rows inside vulnerable chips in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. The attacks work because as capacitors become closer together, they more quickly leak the electrical charges that store the bits. At one time, these bit flips were little more than an exotic crashing phenomenon that was known to be triggered only by cosmic rays. But when induced with surgical precision, as researchers have demonstrated over the past four years, Rowhammer can have potentially serious effects on the security of the devices that use the vulnerable chips.

A new side channel

RAMBleed takes Rowhammer in a new direction. Rather than using bit flips to alter sensitive data, the new technique exploits the hardware bug to extract sensitive data stored in memory regions that are off-limits to attackers. The attacks require only that the exploit hammers memory locations the exploit code already has permission to access. What’s more, the data extraction can work even when DRAM protected by error correcting code detects and reverses a malicious bit flip.

Besides opening a previously unknown side channel that allows attackers to deduce sensitive data, the attack also introduces new ways unprivileged exploit code can cause cryptographic keys or other secret data to load into the select DRAM rows that are susceptible to extraction. By combining the memory massaging techniques with this new side-channel attack, the researchers—from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61—were able to extract an RSA 2048-bit signing key from an OpenSSH server using only user-level permissions. In a research paper published on Tuesday, the researchers wrote:

Previous research mostly considers Rowhammer as a threat to data integrity, allowing an unprivileged attacker to modify data without accessing it. With RAMBleed, however, we show that Rowhammer effects also have implications on data confidentiality, allowing an unprivileged attacker to leverage Rowhammer-induced bit flips in order to read the value of neighboring bits. Furthermore, as not every bit in DRAM can be flipped via Rowhammer, we also present novel memory massaging techniques that aim to locate and subsequently exploit Rowhammer flippable bits. This enables the attacker to read otherwise inaccessible information such as secret key bits. Finally, as our techniques only require the attacker to allocate and deallocate memory and to measure instruction timings, RAMBleed allows an unprivileged attacker to read secret data using the default configuration of many systems (e.g., Ubuntu Linux), without requiring any special configurations (e.g., access to pagemap, huge pages, or memory deduplication).

While RAMBleed represents a new threat that hardware and software engineers will be forced to protect against, it seems unlikely that exploits will be carried out in real-world attacks any time soon. That’s because, like most other Rowhammer-based attacks, RAMBleed requires a fair amount of overhead and at least some luck. For determined attackers in the field today, there may be more reliable attacks that achieve the same purpose. While ordinary users shouldn’t panic, RAMBleed and the previous attacks it builds on poses a longer-term threat, especially for users of low-cost commodity hardware.

How it works

The key extraction requires that attackers first locate flippable bits in the memory of a targeted computer. This phase required the researchers to spend 34 hours to locate the 84,000 bit flips required to extract the SSH key. The non-trivial investment of time and resources required to template the memory is partly offset by the fact that it can be carried out ahead of time, with only user permissions, and without the need to interact with the SSH app or its secrets or with any other targeted application or its secrets. After the researchers filtered out bits that were useless in extracting the key, they ended up with about 4,200 bits.

RAMBleed then uses a special memory massing technique to cause the SSH key to load into memory locations that have the potential to expose their contents. The goal was to achieve a layout similar to the one shown in the left figure below, which correspond to the 8KiB pages needed for two Rowhammer variations. The first uses double-sided accesses and the second single-sided accesses. While RAMBleed works best in the double-sided version, due to noise from other system activity, the memory configuration sometimes results in a single sided-case (right version in the below figure).

Page layout for extracting a victim's secret. Each cell represents a 4 KiB page, meaning that each row represents an 8 KiB row in a DRAM bank. The attacker repeatedly accesses her row activation pages A0 and A2, activating the top and bottom rows. She then extracts corresponding bits in page S by observing bit flips in the sampling page A1.

Enlarge / Page layout for extracting a victim’s secret. Each cell represents a 4 KiB page, meaning that each row represents an 8 KiB row in a DRAM bank. The attacker repeatedly accesses her row activation pages A0 and A2, activating the top and bottom rows. She then extracts corresponding bits in page S by observing bit flips in the sampling page A1.
Kwong et al.

With that in place, RAMBleed hammers the A0 and A2 activation pages shown in the figure. The attack was able to recover 68 percent of the targeted SSH key, or about 4,200 key bits, at a rate of 0.31 bit per second, and with an accuracy rate of 82%. In an email, Andrew Kwong, one of the University of Michigan researchers who wrote the paper, explained:

It takes us almost four hours to complete the reading phase. We actually don’t need the key to remain in memory for any long period of time; OpenSSH will allocate a new page containing the key every time the attacker makes an SSH connection to the victim. If we make two connections in parallel, there are then two copies of the key in memory, which we then use for hammering and to read a single bit. We then close those SSH connections, so that there are no copies of the key in memory. We repeat this process to read each bit. Thus, the key is only in memory for ~3 seconds at a time, and we can force the victim to bring the key back into memory by making an SSH connection. We carried out our attack on an Ubuntu installation with default settings, without any special configurations.

The researchers then ran the recovered bits through the Heninger-Shacham algorithm, which allows the recovery of RSA keys from partial information. The result: the researchers were able to achieve complete key recovery

The Rowhammer-enabled side-channel exploits a physical phenomenon in DRAM chips wherein the likelihood of bit flips depends on the values of bits immediately above and below it. That is, bits tend to flip to the same value of the bits in adjacent rows.

“The main observation behind RAMBleed is that bit flips depend not only on the bit’s orientation, i.e., whether it flips from 1 to 0 or from 0 to 1, but also on the values of neighboring bits,” the researchers reported in their paper. “Specifically, true bits tend to flip from 1 to 0 when the bits above and below them are 0, but not when the bits above and below them are 1. Similarly, anti bits tend to flip from 0 to 1 when the bits above and below them are 1, but not when the bits above and below them are 0.”

RAMBleed works by hammering the activation memory rows (A0 and A2 in the figure displayed above) of carefully arranged memory contents. The resulting bit flips allow the researchers to deduce the values of the secret bits. Repeating this procedure with bit flips at various offsets in the page allows the researchers to recover enough bits to construct the full key.

ECC is not an absolute defense

The researchers said RAMBleed is able to bypass ECC, or error-correcting code protections, built into some types of DRAM chips. When corrections occur, they happen in a predictable way that first corrects the error and then passes the corrected value to the software. This opens a timing side channel that allows the researchers to determine if a single-bit error occurred. The researchers then adjusted RAMBleed to account for ECC.

“With ECC, we cannot observe the flips directly,” the researchers wrote. “Instead we use the timing side channel and look for long read latencies. As such latencies occur only due to Rowhammer-induced flips, they can be used to reveal the value of the secret bit.”

RAMBleed was able to successfully read bits stored in ECC memory with a 73% accuracy at a rate of 0.64 bit per second.

The key recovery made possible by RAMBleed is fundamentally different from a Rowhammer technique unveiled two years ago that allowed one virtual machine to compromise the RSA keys stored on a second VM. In the 2016 attack, the researchers used Rowhammer-induced bit flips to make the public key much weaker than it was before. The researches then factored the key to obtain the corresponding private key. RAMBleed, by contrast, reads the key from memory.

In an advisory, officials with Intel confirmed that the vulnerability, a part of which is tracked as CVE-2019-0174, “may allow partial information disclosure via local access.” The advisory assigned a Common Vulnerability Scoring System of 3.8 to the vulnerability out of a maximum of 10.

“Partial physical address information potentially disclosed through exploitation of this vulnerability does not contain user secrets, but could potentially be utilized to enhance unrelated attack methods,” the advisory stated. It went on to recommend people follow established practices for side-channel resistance and mitigations for timing side channels against cryptographic implementations.

The statement also advises using DRAM that’s resistant to Rowhammer attacks. That generally includes using DDR4 chips that offer ECC or a feature known as targeted row refresh. This advice is helpful, but it’s not the last word for two reasons. First, RAMBleed can bypass ECC protections. Second targeted row refresh isn’t an automatic defense against Rowhammer.

“TRR makes it more difficult to find bit flips,” Kwong, the University of Michigan researcher, wrote in an email. “Not all DDR4 has TRR enabled, and implementations vary substantially by vendor, so it is difficult to pinpoint exactly how much safer TRR is against Rowhammer. TRR’s susceptibility to RAMBleed is an open research question.”

Kwong also offered a clarification to Intel’s statement that CVE-2019-0174 “may allow partial information disclosure via local access.” Because the CVE tracks only the technique for uncovering the low 21 bits of a physical address, the statement is referring only to that, not the overall RAMBleed effect, the researcher told Ars.

Oracle

Meanwhile, Oracle published an advisory here that reported that older and current servers using its SPARC and x86 CPUs aren’t expected to be susceptible to RAMBleed. CPUs using DDR4 DIMMs have implemented target row refresh against RowHammer, the advisory said, while older systems with DDR3 make use of a combination of “other RowHammer mitigations (e.g., pseudo-TRR and increased DIMM refresh rates in addition to Error-Correcting Code (ECC)).” Oracle cloud services are also not expected to be vulnerable because they use the same DDR4 protections mentioned above.

As noted earlier, the immediate real-world threat that RAMBleed—and most other Rowhammer attacks, for that matter—poses to most end users is relatively low. That’s because attackers have a variety of less complicated and more tested methods that arguably could achieve most of the same results. That said, Rowhammer-based attacks including RAMBleed could in the years to come become a more serious risk, particularly in lower-cost devices if engineers don’t study the underlying bug and devise effective means for fixing, or at least mitigating, it.

“By uncovering another channel for Rowhammer based exploitation,” the researchers wrote, “we have highlighted the need to further explore and understand the complete capabilities of Rowhammer.”

This post was updated to add details from Oracle.

Similar Posts: