Google's Project Zero team, dedicated to finding severe security vulnerabilities, has released research that shows with certain varieties of DRAM an attacker can create privilege escalations by simply repeatedly accessing a given row of memory.
Dubbed "the rowhammer problem" and first described in a research paper jointly created by Carnegie Mellon University and Intel Labs, the issue stems from the way certain kinds of DRAM -- mainly those found in x86-based notebooks -- suffer from a problem where "hammering" a given row of memory can cause bits in other rows of memory to flip spontaneously.
What's more, the issue isn't theoretical -- two proof-of-concept exploits have already been developed by Google's team.
Project Zero's blog post on the issue cites the ongoing miniaturization of memory as being party to blame.
"As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other," wrote Project Zero team member Mark Seaborn. "As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells. With enough accesses, this can change a cell’s value from 1 to 0 or vice versa."
One of Google researchers' two proof-of-concept exploits runs on the x86-64 variant of Linux, while the other runs as a Google Native Client (NaCl) application. The former "escalates privilege to gain access to all of physical memory," while the latter "escalates privilege to escape from NaCl’s x86-64 sandbox, acquiring the ability to call the host OS's syscalls directly." The latter can be mitigated by modifying NaCl slightly, but the former "is harder to mitigate on existing machines."
Armed with those exploits, the Project Zero team conducted tests on eight models of x86 notebook computers, manufactured from 2010 through 2014, using five different vendors of DRAM and five different CPU families. They found that "a large subset of these" -- 15 out of 29 -- were vulnerable.
A couple of major caveats were attached to that finding, though. The team stressed that the sample size was small, and a negative result did not imply invulnerability. Also, while desktop PCs did not seem to be vulnerable, the team noted "that could be because they were all relatively high-end machines with ECC memory. The ECC could be hiding bit flips." (Most notebook memory does not use ECC DRAM.)
Memory manufacturers haven't been ignorant of this issue. The research paper (dated 2014) notes that Intel has filed a number of patent applications involving the problem. Google's team mentioned that "at least one DRAM vendor indicates, in their public data sheets, that they implement rowhammer mitigations internally within a DRAM device, requiring no special memory controller support."
Project Zero is asking that DRAM manufacturers, CPU makers, and BIOS creators release more data about the steps they've taken to mitigate rowhammer-like issues on their devices. Not only would this aid in screening out false negatives, but it might give software and OS makers a way to guard against such issues.