Throwhammer the New Way to Launch Rowhammer Attacks via Network Packets

Share this…

A team of researchers from Vrije University in Amsterdam and the University of Cyprus found a way to launch Rowhammer attacks through network packets and network cards.

This, according to information security experts, makes Rowhammer attacks be launched in a more facile and comfortable way, since the malicious actor only needs to bombard the victim’s network card with specially designed packages.

thow hammer

Now it’s simpler than previous attacks, since they required the attacker to infect the victim with malware or lead victims to access malicious websites, where a Rowhammer attack code hidden within the JavaScript of the site would be loaded.

This new attack method by Rowhammer, Throwhammer, was detailed in the research report entitled “Throwhammer: Rowhammer Attacks over the Network and Defenses.”

You may come to believe that Throwhammer should not be possible. Rowhammer attacks work by filtering memory addresses and generates a row of memory cells to induce 0/1 bit flips in nearby memory cells, thus modifying data stored within a computer’s RAM.

Information security professionals expelled, that Throwhammer is possible because the data sent to a network card is cached inside the RAM, which produces the same effect.

Although not all network cards can handle the large amount of incoming traffic that is necessary to trigger the Rowhammer dump. According to experts, only network cards enabled with RDMA are vulnerable.

The researchers commented that RDMA (Remote Direct Memory Access), is a technology that exposes the memory of a computer through a network without involving the CPU and the operating system, this means that it can process more packages than network cards previous

These RDMA-enabled network cards are frequently seen in large groups of computers, and particularly in cloud computing data centers.

Network bandwidth is not a problem for Throwhammer. “Modern NICs are capable of transferring large amounts of network traffic to remote memory.” In the experimental configuration, bit changes could be observed.

When the memory is accessed 560,000 times in 64 ms, which means 9 million accesses per second “, the information security researchers wrote in the article.

“Also, normal 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that ends up stored in the host’s memory,” the professionals said, noting that an attacker does not need a fast network connection to carry After the attack, only a network card enabled for RDMA is necessary.

The professionals also commented that they were able to cause bit flipping on a remote Memcached server simply by using network packets and without the need for user actions.

According to information security researchers, this is the first case of a Rowhammer attack through the network. This Throwhammer attack is not something that any cloud provider will add as a priority to their threat list.

This attack is very theoretical, many special conditions and a lot of work are needed to create Throwhammer network packets that cause very precise bit releases to execute even more commands on remote servers in the cloud or personal computers.

Information security experts commented that cloud providers could easily protect against these attacks with “guard zones” around the memory addresses where the RDMA cache / buffer is written, preventing bit changes from affecting sensitive information.

Compared to Rowhammer’s previous attacks, Throwhammer is the most dangerous, due to its modus operandi without the need for user interaction. The investigations yielded discoveries such as:

  • Rowhammer attacks work with DDR3 and DDR4 memory cards
  • Rowhammer attacks can be run through mundane JavaScript and not through specialized malware
  • Rowhammer attacks can take over Linux-based virtual machines installed in cloud hosting providers
  • Rowhammer attacks are capable of rooting Android devices
  • Rowhammer attacks can be launched with the help of GPU cards