Security researchers have developed a new cyber-attack called RAMBleed, a variant of Rowhammer that can steal data from memory chips even if the system has been updated to prevent these kinds of ambushes.

Developed by an international team, (Yuval Yarom from the University of Adelaide and Data61, Andrew Kwong and Daniel Genkin of the University of Michigan Daniel Gruss of Graz University of Technology), RAMBleed reads and shares a computer’s memory data, making the user’s personal data, such as passwords and payment details, available to the attacker.

 


Rowhammer

Discovered by Intel in 2012 and exploited by Google Project Zero in 2015, Rowhammer attacks a system by ‘hammering’ a row of transistors in a memory chip, until that row leaks information into the adjacent row.

RAMBleed
RAMBleed leverages the success of Rowhammer, making it side-channel attack, an assault designed using the information gained from an analysis of a chip or system.

“We were researching Rowhammer, and we realised that if these patterns exist, the Rowhammer effect would work. For Rowhammer to be effective, there needed to be a pattern to the data memory, and we can detect if these patterns are there or not based on whether the Rowhammer effect works or not,” explains Yuval Yarom, one of the researchers who discovered RAMBleed.

“By knowing the pattern of memory around a location, we know what data is in there.”

RAMBleed uses Rowhammer to read the data stored inside the DRAM’s physical memory, and as that physical memory is shared among the elements that use the chip to power the device (input and output system [mouse, screen, keyboard, smartphone, etc], CPU [central processing unit] etc), this causes a continuous leak of data.

“As the physical memory is shared among all processes in the system, this puts all processes at risk,” the researchers wrote in a FAQ about RAMBleed. “While the end-to-end attack we demonstrated reads out OpenSSH 7.9’s RSA key, RAMBleed can potentially read any data stored in memory. In practice, what can be read depends on the victim program’s memory access patterns.”

“Rowhammer changes memory…people use it to change the data that affects the security of the system and then exploit the system after the change,” explains Yarom. “What we have shown with RAMBleed is that you can use it to steal information.”

RAMBleed

An example of a memory chip that has leaked information to the adjacent row during a Rowhammer attack.

Who is at risk
Any system that uses Rowhammer vulnerable DIMMs (dual in-line memory module) is susceptible, according to RAMBleed’s FAQ.

“Previous research has demonstrated bit flips on both DDR3 and DDR4 with TRR (targeted row refresh) enabled. While we demonstrated our attack on a desktop machine and an ECC enabled server machine, Rowhammer attacks have been demonstrated against both mobile devices and laptops. As such, we suspect that many classes of computers are susceptible to RAMBleed.”

 

ECC (Error Correcting Code Memory)
Error correcting code memory is a type of computer data storage that can detect and correct the most common kinds of internal data corruption, and was the best safeguard against Rowhammer attacks up until late 2018.

Because RAMBleed doesn’t need to flip bits in the memory chip like Rowhammer to access private information, it can bypass ECC memory.

 

Preventing a RAMBleed attack
“Moving to new memory and DDR4 and some modules are protected against Rowhammer, and it’s not 100%, but it’s significantly improved,” says Yarom.

“The biggest problem is the person who clicks on the link they’re not supposed to.”

 

Who would launch a RAMBleed attack
According to the developers of RAMBleed, no one has employed this kind of assault to their knowledge, and the likelihood is slim.

“Anyone who is able to pull this attack has a lot of resources…a nation-state attacking another might be likely because it gives them less detectable access than conventional attacks,” says Yarom.