Rowhammer Attacks: Real World Evidence

TL;DR

Yes, Rowhammer attacks have been observed in the wild, though they remain relatively rare. Mitigation techniques are improving, but vigilance is still required. This guide explains what Rowhammer is, how it works, evidence of real-world attacks, and steps you can take to protect your systems.

What is Rowhammer?

Rowhammer is a cyber security vulnerability that exploits a weakness in DRAM (Dynamic Random Access Memory). Repeatedly accessing the same row in memory can cause bit flips in adjacent rows – even though those rows weren’t directly targeted. This can allow an attacker to gain control of a system.

How Does it Work?

1. The Problem: DRAM stores data as electrical charges within cells.
2. Repeated Access: An attacker rapidly reads and writes to the same row in memory many times. This doesn’t directly change the data, but creates physical stress on the surrounding rows.
3. Bit Flips: The stress can cause electrons to leak from adjacent rows, altering their values (bit flips).
4. Exploitation: Attackers carefully target these bit flips in critical areas of memory – like kernel structures or privilege levels – to gain control of the system.

Evidence of Real-World Attacks

While initially a theoretical threat, Rowhammer attacks have been demonstrated practically and observed in limited real-world scenarios:

• 2015: The original Rowhammer research showed the vulnerability on commodity DRAM.
• 2016: Researchers found ways to reliably trigger bit flips using JavaScript in web browsers, raising concerns about remote attacks.
• Cloud Providers (2017-Present): Several cloud providers have reported detecting and mitigating Rowhammer attempts against their infrastructure. Specific details are often kept confidential for security reasons.
• Linux Kernel Mitigation: The Linux kernel has incorporated mitigations, indicating active threat awareness.

It’s important to note that successful attacks require specific conditions (DRAM type, system configuration) and a degree of luck.

Protecting Your Systems

1. Keep Software Updated: Regularly update your operating systems (especially Linux), firmware, and BIOS. These updates often include Rowhammer mitigations.
   • Linux Example: Ensure you’re running a kernel version with Rowhammer protection enabled. Check using:

     uname -a

2. Enable Memory Encryption: Technologies like Intel Total Memory Encryption (TME) and AMD Secure Encrypted Virtualization (SEV) can make it harder for attackers to exploit Rowhammer.
3. Use Error Correcting Code (ECC) RAM: ECC RAM detects and corrects many bit flips, reducing the impact of a Rowhammer attack. This is particularly important for servers.
4. Memory Randomization: Some systems use memory randomization techniques to make it harder for attackers to predict where critical data is located.
5. Virtualisation Security: If using virtual machines, ensure your hypervisor has Rowhammer mitigations in place.
6. Monitor System Logs: Look for unusual memory errors or crashes that could indicate a Rowhammer attempt. Tools like `dmesg` on Linux can be helpful.

   dmesg | grep -i memory

Further Resources

• Rowhammer Website: https://rowhammer.org/
• Project Zero Blog (Google): Search for “Rowhammer” on the Project Zero blog for detailed research reports.