Read this story on The Register

Rowhammer RAM attack adapted to hit flash storage

Project Zero's two-year-old dog learns a new trick

By Richard Chirgwin

Posted in Security, 17th August 2017 04:27 GMT

It's Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash.

Google's Project Zero found Rowhammer in 2015, when they demonstrated that careful RAM bit-flipping in page table entries could let an attacker pwn Linux systems.

Since the bug upsets the operating system by attacking memory rather than looking for developers' errors, it's potent even if it's limited to types of memory that aren't protected by error checks (such as ECC in newer RAM).

Ever since Project Zero's initial result, boffins have looked for other vectors or other victims (for example, it was turned into an Android root attack in 2016).

Enter a group of boffins from IBM Research Zurich, who plan to demo a Rowhammer attack on MLC NAND flash after explaining it at this week's Usenix-organised W00T17 conference in Vancouver.

Scary? Yes, but there's a couple of slivers of good news: it's a local rather than a remote attack, and the researchers constrained themselves to a filesystem-level attack rather than a full-system attack.

The bad news is that Rowhammer-for-NAND can work at lower precision than its ancestor: while the original Google research worked by flipping single bits, “ the attack primitive an attacker can obtain from MLC NAND flash weaknesses is a coarse granularity corruption”.

In other words, their “weaker attack primitive … is nevertheless sufficient to mount a local privilege escalation attack”.

To get that far, the research explain in this paper [PDF], an attack has to beat protections at all layers from the Flash chip up to the operating system:

  • Cell-to-cell interference protections on the chip.
  • The Flash controller's scrambling and error correction codes, that are designed to increase device reliability;
  • Wear-levelling and block placement algorithms in the SSD controller make memory placement less predictable, from the attacker's point of view;
  • Filesystem protections like caching and error detection have to be bypassed.

Only then does the attacker get to present their payload.

A successful privilege escalation is shown in the video below:

Youtube Video

In a Linux ext3 filesystem formatted in 4 KB block sizes, an attacker who can create a 100 GB file has a 99.7 per cent chance of a successful exploit, the researchers note.

The particular characteristic of Linux that make the attack possible is the inode, which stores the attributes and (importantly for this attack) disk block locations of an object's data: “An indirect block is written (by the kernel filesystem driver) as soon as a file becomes larger than 12 blocks in size: this write is therefore very easy to time and trigger for the attacker.”

While they only went as far as writing a local exploit, the authors note that remote attack scenarios are feasible, through something like Javascript in a browser:

“Because browsers do allow writes and reads to the filesystem (albeit indirectly), through web content local caching, cookies, or use of the HTML5 storage API, it may be feasible to extend the attack vector presented here to remote attacks”.

The best defence, they note, is disk encryption with something like dm-crypt. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Google isn't saying Microsoft security sucks but Chrome for Windows has its own antivirus

ESET scanning engine now built in – plus other defenses

US-CERT study predicts machine learning, transport systems to become security risks

You've been warned

Google Assistant clears its throat, very weird 'machine IQ' tests, new AMD chip – plus more

AI Roundup DeepMind reminded neural net dev work is expensive

Washing machine AI? You'll thank AWS, Microsoft, Google (eventually)

The scramble for space driving the commodity race

Hash of the Titan: How Google bakes security all the way into silicon

Locking down servers and cloud with this itty-bitty chip

Microsoft: We'll beef up security in Windows 10 Creators Edition Fall Update

EMETs? I've had a few

Huawei developing NMVe over IP SSD

Seagate Kinetic drive idea had Huawei genesis and has Huawei follow-on

Who wants multiple virtual workstations on a GPU in a blade server?

NVIDIA reckons engineering types do, so it's cut a new GPU and software to carve it up

Microsoft cracks open patch mega-bundles for biz admins, will separate security, stability fixes

IT bods can separate monthly updates with new controls

That YouTube ad boycott had square-root of sod-all effect on Google's insane cash machine

License to print money renewed in full, thanks to mobile