Mjölnir: nethammers arrive a few years later than rowhammers

OK, I just liked all the dots in the Mjölnir 🙂

So, a few years ago we first heard of Row Hammer. It exploits the fact that memory is laid out as a grid, and, that adjacent bits can be influenced to flip using capacitance. And this is a disaster, e.g. you can change the ‘privilege’ bit on a page you own and thus make code in it run as root.

As time has gone on, processes have shrunk, and things have moved 3D, making this even more likely. People have mapped out the physical adjacency of 3D Flash, ostensibly to improve the reliability.

Novel hardware schemes using e.g. Target Row Refresh have come out, both in memory controllers, and in the DRAM itself. And the world kind of shrugged even tho IMHO its every bit as bad as Spectre. Its even been demonstrated to work from JavaScript which is kind of the nuclear option (imagine going to a web site or being force-fed some ad and your machine is pwned!).

Well now we have NetHammer, which is a derivative. Since packets will flow through ram, you can craft the bits in the packets to hit the ram in such as way as to influence/change other bits. Imagine downloading a torrent of AMBIANCÉ. Sure you intend to watch it. You just want to prove you’ve got the bandwidth. And the artist invented P2P art (you share to the network until one user has downloaded, and then delete). But anyway, while downloading this magnificent work, your machine is pwned. O Noes.

And worse, maybe your router is pwned too. And the one in your Telco. You know, that shiny-new NFV one they have just installed? Yes, in fact, everything that bitstream passes through could become modified/damaged/owned.

This attack becomes more possible when using Intel Cache Allocation Technology. yes cat. You knew I’d sneak a cat into an article 🙂 This feature allows restricting code to core to cache, which makes it simpler to exploit.

At this stage there really is nothiing left to do but don the tinfoil hat and head for the hills. Or better, the creighton mine. Say high to the Sudbury Neutrino Observatory folks while you are there sobbing in the fetal position about the futility of securing things that have electronics in them.

The researchers demonstrated this both on Intel and ARM, so, well, unless your equipment dates back to SRAM and Zilog days you are at risk.

Now, an attacker needs a fairly high rate of traffic, sustained. So that P2P download above. Or perhaps a DDoS attack they sustain against you.

They were able to demonstrate a bit-flip every 350ms on a 500Mbps UDP stream (but they kind of cheated and put clfush() in the driver).

Well, time to start folding the tinfoil. Read the article first tho.

 


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *