RAMpage: Android devices susceptible to a hardware vulnerability CVE-2018-9442

RAMpage: Android devices susceptible to a hardware vulnerability CVE-2018-9442

Rampage is an evolution of Rowhammer 

Rampage exploits a critical vulnerability in modern phones that allows apps to gain unauthorized access to the device. While apps are typically not permitted to read data from other apps, a malicious program can craft a rampage exploit to get administrative control and get hold of secrets stored in the device. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack. Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on the nearby memory. In the following years, researchers discovered that Rowhammer-like attacks affected personal computersvirtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript codeGPU cards, and network packets.

What is RAMpage?

RAMpage isn’t exactly new, so to say. RAMpage is a hardware vulnerability which implements Rowhammer and other, smaller exploits. RAMpage can be used to gain root access on a device, but the researchers managed to get it to do a whole lot more as well. It could be used to bypass JavaScript sandboxes and even perform an attack running on another virtual machine on the same computer on x86 devices. ARM-based devices are also vulnerable, and that’s where our Android phones come in. DRAMMER stands for “Deterministic Rowhammer Attacks on Mobile Devices,” and it was able to be used against a number of Android phones in the past to gain root access.

What is DRAM Rowhammer Vulnerability?

Known since 2012, Rowhammer bug is a hardware reliability issue with new generation DRAM (dynamic random access memory) chips in which repeatedly and rapidly accessing (hammering) a row of memory can cause bit flips in adjacent rows, i.e., changing their bit values from 0 to 1 or 1 to 0.

In 2015, security researchers from Google Project Zero successfully demonstrated ways to deterministically exploit this hardware issue to achieve privilege escalation on the vulnerable computers (Windows and Linux).

  • Besides this Google researchers also introduced double-sided Rowhammer attack that increases the chance of getting bit flips in a row by hammering both of its neighbors.
  • Triggering the Rowhammer bug is simple, but its successful exploitation is difficult, as most bits in the memory are irrelevant for an attacker and flipping them could result in memory corruption.
  • Hammering, i.e., aggressively reading/writing data from/to the DRAM, at random memory locations is not sufficient to bit flip a targeted memory page (likely used by a high privileged or system application).
  • For successful exploitation of Rowhammer, an attacker must be able to trick the system in a way that it lands the targeted memory page into the row (vulnerable to Rowhammer) adjacent to the attacker-owned row in the physical memory of DRAM.

In our previous articles, we have also covered other Rowhammer attacks, which includes:

  • GLitch: This technique leverages embedded graphics processing units (GPUs) to carry out Rowhammer attacks against Android devices.
  • Throwhammer: The first network-based remote Rowhammer attack that involves the exploitation of a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
  • Nethammer: Another network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

 

What is Drammer Attack?

Discovered two years ago, Drammer was the first practical Rowhammer-based attack that targets DRAM chips on the Android devices, which could be exploited by a malicious app without requiring any permission or software vulnerability.
Drammer attack relies on DMA (direct memory access) buffers, which are provided by Android’s main memory manager called ION.


Since DMA allows apps to directly access the memory without going through any CPU cache, it makes repeated access (hammering) to a specific row of memory more efficient.

ION organizes its memory pools in several in-kernel heaps, one of which, kmalloc heap, was designed to allocate physically contiguous memory, which enabled attackers to easily determine how virtual addresses were mapped to physical addresses.
These two properties of ION memory manager—direct access and contiguous memory allocations—were the key behind the success of Drammer attack.

“RAMpage breaks the most fundamental isolation between user applications and the operating system,” researchers said. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.” “This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” the research team said.

RAMpage may also impact Apple devices, PCs, and VMs

Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets. The researcher team also believes RAMpage may also affect Apple devices, home computers, or even cloud servers. Researchers say they’ve updated a previous app they used in the past to detected Drammer to also identify if a device is vulnerable to RAMpage. The app is not available on the Play Store and must be downloaded from here and later side-loaded.

Every Android device released in the past 6 years is affected

While researchers reproduced a RAMpage attack only on an LG4 smartphone, they said that “every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012.”

The research team also published a website detailing their findings. Although the website is a visual copy of the website used for the Meltdown and Spectre vulnerabilities, researchers said there’s no resemblance between Meltdown/Spectre and RAMpage. This is because Meltdown and Spectre go after data stored inside CPU caches while RAMpage goes after data stored inside RAM cards.

“We hope that this page gets more people involved in contributing to research,” the research team wrote on their site. “It is currently unclear how widespread the Rowhammer bug (the hardware error that rampage exploits) is.”

“By getting more people to run our updated Drammer test app, we hope to get a better understanding of this issue, allowing us to make decisions on how to move forward (i.e., should we continue looking for defenses or is this an already-solved problem?).”

 

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *