Home Malware Programs Vulnerability Rowhammer Attack

Rowhammer Attack

Posted: April 16, 2019

A Rowhammer attack is an exploit where a threat actor floods transistor rows with data for forcing flips. Although the Rowhammer attack requires high technical proficiency, in theory, it can enable remote code execution, which is the lynchpin in attacks for installing threats like backdoor Trojans or spyware. Since it abuses architecture issues that are fundamental to memory design, there is no way to remove the Rowhammer attack's vulnerability, but users can follow standard security guidelines for reducing their level of risk.

The Hardware that Gets Hammered – with Electricity

While most threat actors depend on victims who endanger themselves, one way or another – by downloading a Trojan, letting threatening scripts auto-run in their browser or using an inappropriately-weak password – some will take more initiative than others. The Rowhammer attack shows off both sides of these attacks, with a consequence that gives the attacker gradually-increasing system access. Since its early revealing, its scope of compatible hardware and strategies continues its growth, and most systems can't be said to be completely safe.

A Rowhammer attack uses a 'flooding' technique of executing programs on transistor rows until the electrical leakage affects neighboring sections, which lets a threat actor, gradually, dig deeper and deeper into the system. The programming skill level and time requirements both are substantial, and most threat actors without highly-specific targets wouldn't bother implementing such a tedious vulnerability into their campaigns. It does, however, result in a potential series of exploits leading to the installation of a high-level threat, such as a backdoor Trojan or RAT, which could grant attackers easier access and control over a system.

Unfortunately, some of the newer variants of the Rowhammer attack are more easily implementable than older ones. The 'Throwhammer' version of it can run remotely over high-speed networks by hammering RDMA network devices with specially-crafted packets, the 'GLitch' attack affects Android device GPUs, and, with enough time, attackers could use a Rowhammer attack against highly-sensitive, ECC memory-using systems. ECC hardware includes many IoT devices and computers related to essential infrastructure or the finance sector.

A Hammer's Blow that's Worth Dodging

Users can't disable or remove the possibility of a Rowhammer attack directly, which exploits baseline weaknesses and limitations in the physical layout of memory. What they can do is reduce their vulnerability to an attack by following standard precautionary steps while they're online. The majority of uses for the Rowhammer attack, still, involve tricking a user into opening an e-mail attachment, using a password that attackers could brute-force, etc. Threat actors, then, use privilege-escalating exploits for deepening their access.

A limitation worthy of noting with the remote network-based version of the Rowhammer attack is that it requires a high-data network connection of at least ten Gbps. It calls for tens of thousands of location-specific memory access requests in less than one second, which hampers its practicality for casual threat actors and outright eliminates the possibility on lower-speed connections. Users that do fit this profile should protect their hardware with appropriate, enterprise-level firewalls and other security solutions for reducing the risk of a Rowhammer attack.

The Rowhammer attack is a fundamental, architectural problem whose capacity for harm only increases as the cyber-security industry learns more about it. While malware experts find no cases of its live use by threat actors, its implications for the state of security in critical systems are less than pleasing.

Loading...