Threat Watch

Rowhammer Attacks Are Back on Stage

Researchers at Sopho’s have observed a sort of reboot to a classic, mostly theoretical, attack named Rowhammer. This attack involves repeatedly attack a specific address in memory enough to affect the electrical charge causing interference that is able to manipulate values in neighboring memory cells, causing “bitflips”. Binary changes from 0 to 1 or 1 to 0 in the cells.

There are many mitigations modern-day hardware employs to prevent bitflips. CPU’s cache memory addresses and RAM in almost all machines is Dynamic (DRAM). Rowhammer is a novel theory and exploitable, but not mature enough to be employed in the threat landscape most adversaries operate. “[Existing … rowhammer] attacks require frequent cache flushes, large physically contiguous regions, and certain access patterns to bypass in-DRAM TRR, all challenging in JavaScript.” – SMASH:Synchronized Many-sided Rowhammer Attacks

ANALYST NOTES

Each attack referenced above will need to be tailored to the specific CPU and RAM used in the machine. Which alone isn’t much of a deterrent. What researchers who authored the attacks discovered is that SMASH is neutralized when THP (Transparent Huge Pages/Paging) is turned off. To be clear this is specific to the referenced SMASH attack discussed in this brief, and a defense that is current and not future-proof. Binary Defense offers teams of researchers on the Threat Hunting and Counterintelligence teams proactively looking for exploits and theories such as Rowhammer to create actionable methods of detection and mitigation. These teams along with a strong internal IT infrastructure and a Security Operations Center monitoring significantly increase the chance of mitigation and cost-saving when an active or potential breach is observed.

https://www.vusec.net/projects/smash/
https://github.com/vusec/smash