Rowhammer vulnerabilities are once again making mainstream news with the addition of CVE-2018-9942, dubbed RAMpage. This new variant of Rowhammer-based vulnerabilities allows attackers to compromise other applications and seize complete control over Android-based devices. What makes this vulnerability unique is how efficient the exploit process has become relative to preceding exploits.
The security community has been aware of Rowhammer-based bugs since 2012. Back then it was recognized as more of a theoretical based hardware reliability issue with Dynamic Random Access Memory (DRAM) chips. Back then, to save on cost and increase system response time, manufacturers were allowing applications to directly access memory instead of utilizing the processor which opened up the doors for possible vulnerabilities. At that point it was known that when repeatedly and rapidly accessing rows of memory it was possible to induce bit flipping into adjacent rows of memory. This type of attack typically might crash an application or induce the hardware device into an error condition. Since exploitation was so difficult and more theoretical it would seem that vendors and manufacturers did not take this problem seriously. However, over the past few years security researchers have uncovered additional problems with android based devices and attackers have matured their exploitation techniques.
Using RAMpage exploits, an attacker can leverage a set of Direct Memory Access (DMA) based Rowhammer attacks to bypass system defenses, compromise other applications, and effectively gain root access on the latest Android OS. The RAMpage attack generally consists of three steps: exhausting the system heap, shrinking the cache pool, and then rooting the mobile device. By using traditional Rowhammer techniques an attacker can drain all ION’s (Android’s Memory Manager) internal memory pools. This allows an attacker to break out of their initial allocated application memory in order to access other interesting memory regions. Then, by shrinking the cache pool using the Flip Feng Shui exploitation technique, attackers can trick the kernel into storing a page table within the vulnerable memory region. Finally, by implementing the initial two steps and leveraging a root exploit to place within the vulnerable memory region an attacker can successfully compromise an android device. The prerequisite for this attack requires an attacker to have access over an application that can carry out such an attack on the device. The research paper is linked at the bottom for further details.
At this time it is unrealistic to fix the vulnerability in hardware as it would be expensive and would not address the devices currently in use. Interestingly, the researchers that initially discovered the issue also released a tool called GuardION – a software based mitigation solution against RAMpage attacks.
Sources https://threatpost.com/rowhammer-variant-rampage-targets-android-devicesall-over-again/133198/ https://vvdveen.com/publications/dimva2018.pdf