Blacksmith is a new kind of Rowhammer attack that has been proved to successfully bypass existing Rowhammer protections in modern DDR4 memory chips – allowing researchers to extract security secrets and change memory contents on victim computers.
What is Rowhammer?
Modern computer memory chips are physically very dense – with billions of memory cells (each comprising a transistor and capacitor) on each chip. Rowhammer is a hybrid attack that uses software to repeatedly update (or hammer) a specific row of memory cells in order to induce a physical effect caused by electromagnetic interference in adjacent memory cells causing a targeted bit to flip from 1 to 0 or vice versa. If you flip the right bit(s) you can give a running process admin privileges or redirect memory access in order to extract cryptographic secrets from memory.
The Blacksmith variant explained
In a recently published research paper, the COMSEC Computer Security Group at ETH University in Zurich provides details of a new type of Rowhammer attack they have called Blacksmith. Existing mitigations against Rowhammer style attacks attempt to detect the repeated hammering of memory cells in order to identify and block an attempted Rowhammer attack. The team at COMSEC has developed a new style of rowhammer attack where the ‘hammering’ happens using non-uniform or irregular patterns of memory access which do not trigger the existing rowhammer protections allowing the attack to proceed in all of the different PC-DDR4 chips they tested – which included samples covering 94% of the DRAM market.
During their tests, the researchers were able to use the Blacksmith method in order to complete several successful attacks including:
- Attack an RSA-2048 public key and recover the associated private key to gain SSH access to a VM
- Attack the password verification logic of the sudoers.so library gaining root privileges
Rowhammer attacks are a concern for Security Managers because they provide a mechanism to bypass security controls provided by Operating Systems and Virtual Machine Hypervisors. As a result, careful consideration needs to be given to avoid mixing workloads with differing levels of security on the same physical hardware. This can be more challenging in cloud-based environments where you may not have visibility of other Virtual Machines or Services running on the same physical server as your own processes.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)