RAMBleed: Reading bits in memory without accessing them

Andrew Kwong, Daniel Genkin, Daniel Gruss, Yuval Yarom

Research output: Chapter in Book/Report/Conference proceedingConference paper

Abstract

The Rowhammer bug is a reliability issue in DRAM cells that can enable an unprivileged adversary to flip the values of bits in neighboring rows on the memory module. Previous work has exploited this for various types of fault attacks across security boundaries, where the attacker flips inaccessible bits, often resulting in privilege escalation. It is widely assumed however, that bit flips within the adversary's own private memory have no security implications, as the attacker can already modify its private memory via regular write operations.We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel. More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel. Thus, the primary contribution of this work is to show that Rowhammer is a threat to not only integrity, but to confidentiality as well.Furthermore, in contrast to Rowhammer write side channels, which require persistent bit flips, our read channel succeeds even when ECC memory detects and corrects every bit flip. Thus, we demonstrate the first security implication of successfully-corrected bit flips, which were previously considered benign.To demonstrate the implications of this read side channel, we present an end-to-end attack on OpenSSH 7.9 that extracts an RSA-2048 key from the root level SSH daemon. To accomplish this, we develop novel techniques for massaging memory from user space into an exploitable state, and use the DRAM rowbuffer timing side channel to locate physically contiguous memory necessary for double-sided Rowhammering. Unlike previous Rowhammer attacks, our attack does not require the use of huge pages, and it works on Ubuntu Linux under its default configuration settings.

Original languageEnglish
Title of host publicationProceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
PublisherInstitute of Electrical and Electronics Engineers
Pages695-711
Number of pages17
ISBN (Electronic)9781728134970
DOIs
Publication statusPublished - May 2020
Event41st IEEE Symposium on Security and Privacy - Virtuell, United States
Duration: 18 May 202020 May 2020

Conference

Conference41st IEEE Symposium on Security and Privacy
Abbreviated titleSP 2020
CountryUnited States
CityVirtuell
Period18/05/2020/05/20

Keywords

  • OpenSSH
  • Rowhammer
  • Side channels

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'RAMBleed: Reading bits in memory without accessing them'. Together they form a unique fingerprint.

Cite this