Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT Technology

'RAMBleed' Rowhammer Attack Can Now Steal Data, Not Just Alter It (zdnet.com) 45

A team of academics from the US, Austria, and Australia, has published new research today detailing yet another variation of the Rowhammer attack. From a report: The novelty in this new Rowhammer variety -- which the research team has named RAMBleed -- is that it can be used to steal information from a targeted device, as opposed to altering existing data or to elevate an attacker's privileges, like all previous Rowhammer attacks, have done in the past. [...] In a research paper [PDF] published today, academics unveiled RAMBleed, the first Rowhammer attack that can actively deduce and steal data from a RAM card. To do this, researchers had to come up and combine different techniques, which, when assembled, would permit a RAMBleed attack to take place.
This discussion has been archived. No new comments can be posted.

'RAMBleed' Rowhammer Attack Can Now Steal Data, Not Just Alter It

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Tuesday June 11, 2019 @02:41PM (#58746502)

    RAMBleed ...

    Alternately, you can use two small goats or a medium cow.

    • Is it a medium cow in vacuum at this point, or do we have to worry?
    • RAMBleed ...

      Alternately, you can use two small goats or a medium cow...

      I agree with this. Named vulnerabilities, or creatively named attacks, are tiresome.

      ...except for Rowhammer itself because it is just such a cool attack.

      • I agree with this. Named vulnerabilities, or creatively named attacks, are tiresome.

        ...except for Rowhammer itself because it is just such a cool attack.

        It's also the name of Thor's backup weapon.

    • I'd say its our hardware design that's ridiculous. Memory should be able to have any values written with any frequency, without disrupting adjacent cells. Plenty of memory does NOT have this problem, but somehow we think it's fine for PC and server memory to have this problem because we need high density, speed and low power consumption at all costs.

      How about we line up the so-called "engineers" of this garbage against the wall and shoot them as a warning to others?

      • by Sique ( 173459 )
        The general problem is that RAM is much slower than the processor, and that we already operating at frequencies where the wave length is of the same magnitude than the structures of a mainboard. At 3 GHz, the wave length is about 10 cm or 4 inches. Thus it will take at least one clock cycle to even get the address of the next memory line to the RAM (in fact, it's more, as the speed of electromagnetic waves in copper is much lower than the speed of light). If the address has to be decoded in the chipset firs
  • by gweihir ( 88907 ) on Tuesday June 11, 2019 @02:50PM (#58746540)

    I have run the tester-tool for a while on my hardware (several computers), no results. And I noticed a while back that most (all?) papers that describe measurements have the measurements done on laptops, with potentially much slower refresh-schedules, as that saves a significant amount of energy. It also increases the susceptibility to Rowhammer strongly. Does anybody have any reference for Rowhammer actually working on regular PC hardware?

  • Having read the article I understand the basic principle being used, but other than maybe skimming some bits here and there would this ever yield useful data for an attacker?

    In order "bleed" some bits your program can run in a VM (like AWS or Azure) or actually run in a client browser as a Javascript (!) program. But it has no control over what bits are adjacent and subject to exploit. What are the odds that you will actually be able to see the user's clear-text passwords? Not very high. So you get a

    • by sinij ( 911942 ) on Tuesday June 11, 2019 @03:15PM (#58746650)

      Having read the article I understand the basic principle being used, but other than maybe skimming some bits here and there would this ever yield useful data for an attacker?

      Am I missing something?

      Yes, you are missing the fact that storing private keys in RAM is a common practice for all virtualized appliances running in the cloud.

      • by Anonymous Coward

        Exactly. That's how they're able USING JAVASCRIPT IN A USERLAND BROWSER to get the PRIVATE KEYS and ESCAPE THE VIRTUAL SANDBOX! That's why this is a big fucking deal. The entire cloud, boom.

        Because you've got a hardware flaw that even 7 rings of abstraction aren't blocking off now, accessible without malware/root, over the internet, using nothing more than fucking javascript or other pseudo-innoculous inroad.

        Javascript is enabled by default everywhere. Virtual machines are used everywhere. This is a s

        • Sorry, the room for those crying that the sky is falling is one door down. So far (!), these hammers always require complete control over both the software and hardware. But by releasing a click-bait paper to the public every few months the grant money keeps flowing.
          • by Anonymous Coward

            LEARN TO READ ANYTIME OR DO NOT.

            Throughout the years, academics greatly expanded the methods and exploitation scenarios of the original Rowhammer research, taking a crazy experiment and showing how the technique could be used in the real world:

            They showed how a Rowhammer attack could alter data stored on DDR3 and DDR4 memory cards alike
            They showed how a Rowhammer attack could be carried out via JavaScript, via the web, and not necessarily by having a

    • Max Bazaliy used an exploit over and over, dumping just four bytes at a time, to jailbreak the Apple Watch. Here's the talk, it's pretty intense [youtube.com], and also why I enjoy learning about hacking but not actually doing it.
    • But it has no control over what bits are adjacent and subject to exploit. What are the odds that you will actually be able to see the user's clear-text passwords? Not very high. So you get a byte or two at random among a 8G data field.

      Cryptography, security and side channels are harder than you think. Sure you might see a cleartext password. Or you could leak 0.5 bits per day about some encryption key. Leave it running a while and you have enough information to crack some really important data.

  • You can infer data in a group of cells if you can hammer cells in the same row, adjacent rows and sample in a series of cells physically next to the ones you want to read.

    You need to be able to position all those blocks of ram in precise physical locations, after you've determined the physical cells of the data you want to read.

  • "Attacks never get worse; they only get better."

You know you've landed gear-up when it takes full power to taxi.

Working...