Dubbed ‘Throwhammer,’ the newly discovered technique could allow attackers to launch Rowhammer laid on on the targeted systems but past times sending peculiarly crafted packets to the vulnerable network cards over the local expanse network.
Known since 2012, Rowhammer is a severe effect amongst recent generation dynamic random access retention (DRAM) chips inwards which repeatedly accessing a row of retention tin crusade "bit flipping" inwards an following row, allowing anyone to modify the contents of estimator memory.
The effect has since been exploited inwards a number of ways to arrive at remote code execution on the vulnerable computers together with servers.
Just terminal week, safety researchers detailed a proof-of-concept Rowhammer laid on technique, dubbed GLitch, that leverages embedded graphics processing units (GPUs) to deport out Rowhammer attacks against Android devices.
However, all previously known Rowhammer laid on techniques required privilege escalation on a target device, important attackers had to execute code on targeted machines either past times luring victims to a malicious website or past times tricking them into installing a malicious app.
Unfortunately, this limitation has right away been eliminated, at to the lowest degree for or together with then devices.
Researchers at the Vrije Universiteit Amsterdam together with the University of Republic of Cyprus convey right away flora that sending malicious packets over LAN tin trigger the Rowhammer laid on on systems running Ethernet network cards equipped amongst Remote Direct Memory Access (RDMA), which is usually used inwards clouds together with information centers.
Since RDMA-enabled network cards allow computers inwards a network to central information (with read together with write privileges) inwards the principal memory, abusing it to access host’s retention inwards rapid succession tin trigger flake flips on DRAM.
"We rely on the commonly-deployed RDMA technology inwards clouds together with information centers for reading from remote DMA buffers rapidly to crusade Rowhammer corruptions exterior these untrusted buffers," researchers said inwards a newspaper [PDF] published Thursday.
"These corruptions allow us to compromise a remote Memcached server without relying on whatever software bug."
Since triggering a flake flip requires hundreds of thousands of retention accesses to specific DRAM locations inside tens of milliseconds, a successful Throwhammer laid on would bespeak a rattling high-speed network of at to the lowest degree 10Gbps.
In their experimental setup, researchers achieved flake flips on a targeted server subsequently accessing its retention 560,000 times inwards 64 milliseconds past times sending packets over LAN to its RDMA-enabled network card.
Since Rowhammer exploits a estimator hardware weakness, no software spell tin completely laid upwards the issue. Researchers believe the Rowhammer threat is non alone existent but too has potential to crusade real, severe damage.
For to a greater extent than in-depth details on the novel laid on technique, y'all tin caput on to this newspaper [PDF], titled "Throwhammer: Rowhammer Attacks over the Network together with Defenses," published past times the researchers on Thursday.
