Rowhammer RAM attack adapted to hit flash storage

Project Zero's two-year-old dog learns a new trick

By Richard Chirgwin

Posted in Security, 17th August 2017 04:27 GMT

It's Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash.

Google's Project Zero found Rowhammer in 2015, when they demonstrated that careful RAM bit-flipping in page table entries could let an attacker pwn Linux systems.

Since the bug upsets the operating system by attacking memory rather than looking for developers' errors, it's potent even if it's limited to types of memory that aren't protected by error checks (such as ECC in newer RAM).

Ever since Project Zero's initial result, boffins have looked for other vectors or other victims (for example, it was turned into an Android root attack in 2016).

Enter a group of boffins from IBM Research Zurich, who plan to demo a Rowhammer attack on MLC NAND flash after explaining it at this week's Usenix-organised W00T17 conference in Vancouver.

Scary? Yes, but there's a couple of slivers of good news: it's a local rather than a remote attack, and the researchers constrained themselves to a filesystem-level attack rather than a full-system attack.

The bad news is that Rowhammer-for-NAND can work at lower precision than its ancestor: while the original Google research worked by flipping single bits, “ the attack primitive an attacker can obtain from MLC NAND flash weaknesses is a coarse granularity corruption”.

In other words, their “weaker attack primitive … is nevertheless sufficient to mount a local privilege escalation attack”.

To get that far, the research explain in this paper [PDF], an attack has to beat protections at all layers from the Flash chip up to the operating system:

  • Cell-to-cell interference protections on the chip.
  • The Flash controller's scrambling and error correction codes, that are designed to increase device reliability;
  • Wear-levelling and block placement algorithms in the SSD controller make memory placement less predictable, from the attacker's point of view;
  • Filesystem protections like caching and error detection have to be bypassed.

Only then does the attacker get to present their payload.

A successful privilege escalation is shown in the video below:

In a Linux ext3 filesystem formatted in 4 KB block sizes, an attacker who can create a 100 GB file has a 99.7 per cent chance of a successful exploit, the researchers note.

The particular characteristic of Linux that make the attack possible is the inode, which stores the attributes and (importantly for this attack) disk block locations of an object's data: “An indirect block is written (by the kernel filesystem driver) as soon as a file becomes larger than 12 blocks in size: this write is therefore very easy to time and trigger for the attacker.”

While they only went as far as writing a local exploit, the authors note that remote attack scenarios are feasible, through something like Javascript in a browser:

“Because browsers do allow writes and reads to the filesystem (albeit indirectly), through web content local caching, cookies, or use of the HTML5 storage API, it may be feasible to extend the attack vector presented here to remote attacks”.

The best defence, they note, is disk encryption with something like dm-crypt. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Plunk: SK Hynix drops 72-layer 3D NAND on enterprise SSD market

Korean flasher poised to enter enterprise SSD market

Samsung preps for Z-SSD smackdown on Intel Optane drives

February reveal for wannabe XPoint killer

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

Updated KB4056892 is not your friend if you run an Athlon

AMD scores EPYC gig powering new Azure instances

Don't pop the champagne yet: Microsoft's still using Intel in same series

Google Assistant clears its throat, very weird 'machine IQ' tests, new AMD chip – plus more

AI Roundup DeepMind reminded neural net dev work is expensive

SSD price premium over disk faaaalling

Updated IDC SSD forecast sees 44 per cent capacity CAGR 2016-2021

Dell goes on Epyc server journey with AMD

Rackmount server competition for PowerEdge 14G Xeon SP rackers

Nimbus Data becomes OEM supplier of high-capacity SSD tech

Viking and SMART Modular Technologies top customers

Samsung's bantam SSD makes WD's 'passport' drive look passé

Is that 2TB in your pocket or are you just pleased to see me?

Bing fling sting: Apple dumps Microsoft search engine for Google

Safari, Spotlight to be powered by the Chocolate Factory