Share this…

Researchers have found a new variation of the Rowhammer attack technique they have dubbed RAMpage. The vulnerability could allow an adversary to create an exploit to gain administrative control over targeted Android smartphones and tablets. The flaw impacts Android devices dating back to 2012.

RAMpage follows a string of Rowhammer variants that have come to light since 2015 when researchers initially identified the flaw in DRAM memory in laptops and PCs.

In 2016, researchers figured out how the PC-based Rowhammer attack technique could be applied to Android devices and give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.

This Drammer attack differed slightly from Rowhammer in that it relies on the Flip Feng Shui exploitation technique. A Flip Feng Shui exploitation technique carefully selects the sizes of the portion of memory where dynamically allocated memory resides (heap). Next, the Rowhammer attack targets that portion of memory which can “flip” – or change the state of adjacent memory bits – creating circumstances ripe for memory manipulation. Those bit flips could include simply changing a 0-to-1 or 1-to-0, according to researchers.

The latest variant, RAMpage, works in similar ways. It targets an Android’s universal generic memory management system called ION introduced by Google in 2011 as part of Android 4.0. It’s part of a subsystem used to manage and allocate memory. An attack consists of a write and refresh request on the device’s RAM until it flips a bit in an adjacent row. This opens the door to the device compromise.

The prerequisite for a likely attack is a user installing an unprivileged app capable of carrying out the attack. “We consider an attacker with full control over a zero-permissions holding, unprivileged Android app that is running on the victim’s device,” researchers wrote.

The good news is the researchers have also released a tool called Guardion, a software-based mitigation against rampage attacks. “It prevents an attacker from modifying critical datastructures by carefully enforcing a novel isolation policy,” researchers wrote. “Although Guardion is not deployed in operating systems yet, there are ongoing efforts to realize this. The source code for Guardion is available online in the form of Android kernel patch.” Currently the patch is not widely available and only tested for Google Pixel, running Android 7.1.1 (Nougat).

RAMpage researchers credited for the discovery include Victor van der Veen, Martina Lindorfer, Yanick Fratantonio, Harikrishnan Padmanabha Pillai, Giovanni Vigna, Christopher Kruegel, Herbert Bos, and Kaveh Razavi. Universities include Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara and the French graduate school Eurecom.