Skip to main content

RAMBleed: reading bits in memory without accessing them

Authors

Andrew Kwong, Daniel Genkin, Daniel Gruss and Yuval Yarom

University of Michigan

DATA61

Graz University of Technology

The University of Adelaide

Abstract

The Rowhammer bug is a reliability issue in DRAM cells that can enable an unprivileged adversary to flip the values of bits in neighboring rows on the memory module. Previous work has exploited this for various types of fault attacks across security boundaries, where the attacker flips inaccessible bits, often resulting in privilege escalation. It is widely assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations. We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel. More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel. Thus, the primary contribution of this work is to show that Rowhammer is a threat to not only integrity, but to confidentiality as well. Furthermore, in contrast to Rowhammer write side channels, which require persistent bit flips, our read channel succeeds even when ECC memory detects and corrects every bit flip. Thus, we demonstrate the first security implication of successfully-corrected bit flips, which were previously considered benign. To demonstrate the implications of this read side channel, we present an end-to-end attack on OpenSSH 7.9 that extracts an RSA-2048 key from the root level SSH daemon. To accomplish this, we develop novel techniques for massaging memory from user space into an exploitable state, and use the DRAM row-buffer timing side channel to locate physically contiguous memory necessary for double-sided Rowhammering. Unlike previous Rowhammer attacks, our attack does not require the use of huge pages, and it works on Ubuntu Linux under its default configuration settings.

BibTeX Entry

  @inproceedings{Kwong_GGY_20,
    author           = {Kwong, Andrew and Genkin, Daniel and Gruss, Daniel and Yarom, Yuval},
    doi              = {https://doi.org/10.1109/SP40000.2020.00020},
    month            = may,
    date             = {2020-5-18},
    year             = {2020},
    title            = {{RAMBleed}: Reading Bits in Memory Without Accessing Them},
    address          = {San Francisco, CA, USA},
    video            = {https://www.youtube.com/watch?v=Y5iZJl2_HK4},
    pages            = {310-326},
    booktitle        = {IEEE Symposium on Security and Privacy},
    paperurl         = {https://ts.data61.csiro.au/publications/csiro_full_text//Kwong_GGY_20.pdf},
    publisher        = {IEEE}
  }

Download

Served by Apache on Linux on seL4.