Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack - and raise questions about protective mechanisms."When a system is regarded as absolutely safe, our curiosity is awakened," explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.
Rowhammer attacks were first recognised as a security problem and scientifically investigated in 2014. Attackers exploit vulnerabilities in the hardware to gain access to computer systems. The security holes are not real hardware faults, but rather come about because the DRAM modules in our computers - the memory - are becoming increasingly smaller. These models are composed of individual cells which are either charged (1) or not charged (0) and whose value determines all the computational processes. These small memory cells lying next to each other are arranged in rows and shielded from each other by insulation to prevent disturbance and computer errors. But this only works in a certain, specified context - in other words, only for a particular number of accesses in a predefined period. If the speed of accesses or their number is too high, this can lead to errors. Because computer components are becoming increasingly smaller and at the same time more powerful, and due to the fact that the cells lie even closer together, disturbance errors can be caused, when many cells are accessed or accessed at very high speeds, which change the value of a single cell.
Cells in which sensitive information such as administration rights are defined cannot usually be accessed externally. But the adjacent cells which are used for ordinary computer processes, for instance which are necessary for surfing in internet, can be accessed externally. When these adjacent, unprotected cells are accessed at very high frequency, the value of the attacked cell can be altered due to the resulting disturbance errors. Rowhammer attacks work on this principle. Daniel Gruss explains: "If the administration rights lie exactly in this cell, then the attacker has full access to the system and can, for instance, install malware."
In 2015 the research team demonstrated that such an attack can be launched while surfing in internet using a Java script from a malicious advertisement on a trustworthy website. Such attacks can also be carried out on smartphones.
Hardware and software producers have responded to this problem and offered solutions. "The basic assumption underlying our understanding of such attacks and thus all defensive measures up to now was that the attacker had to hammer two rows of cells at the same time in order to bring about a change in value," explained Gruss. "This creates a very distinctive attack pattern to which one can respond in defence measures."
"Research developed to such an extent last year that it was assumed that the new hardware components were absolutely safe." But the TU Graz researchers have now been able to show that the basic underlying assumption was wrong.
After working through the code the whole night long, we knew that this discovery changed everything.
"We examined a new security feature for vulnerabilities. This security feature hides all the computational processes: you don’t see what is going on inside from the outside. We wanted to know what happens when we incorporate a rowhammer attack," explains Gruss. But the computer crashed again and again. "At first we thought a programming error was the cause, but after working through the code the whole night long, we knew that this discovery changed everything." This novel combination meant that only one row of cells needed to be hammered to change the value of the attacked cell. As an example, if you use programmes which receive temporary administrator rights for installation processes - for instance a Windows update - then it’s easy for the attacker to get the necessary rights to install malware.
Despite the relative simplicity of the attack, the researchers are playing down the danger it can cause. "Rowhammer attacks are very time consuming and complex. You wouldn’t do something like this for fun," says Gruss. "You can gain access to the system within seconds through a security hole in the software. It would take hours or even days using the new rowhammer possibilities."
You can gain access to the system within seconds through a security hole in the software. It would take hours or even days using the new rowhammer possibilities.
InstructionsBut aren’t the researchers with their publication giving criminals the instructions they need for new attacks? "Of course it’s a balancing act. And in our field it’s usual to publish the source code. You have to choose carefully what the research community needs and what would be better not to publish," explains Gruss. "But it’s better than doing no research at all. Because then the public wouldn’t know anything about these security holes. And hackers could do exactly the same work that we do and track down the holes themselves. Only through public pressure do manufacturers respond to these problems."
This field of research is part of the Foe ,,Information, Communication & Computing "