Security Week 48: Rowhammer On Android And The Complexity Of Hardware Vulnerabilities
We like to read scientific works that investigate computer vulnerabilities.
They have what the industry often lacks, namely, caution when formulating certain assumptions.
This advantage, but there is a drawback: as a rule, the practical benefit or harm from a newly discovered fact is not obvious, too fundamental phenomena are subjected to research.
- This year we learned a lot about new hardware vulnerabilities, starting with Specter and Meltdown, and usually, these new knowledge appear in the form of scientific work.
The quality of these hardware problems is appropriate: they are exposed to whole classes of devices, it is difficult (and even impossible at all) to completely close the software patch, the potential damage is also incomprehensible. What’s there to say, sometimes it’s hard to understand how they even work.
This is roughly the case with the vulnerabilities of the Rowhammer class. Four years ago, it was discovered a fundamental possibility to change the “next” bit in the RAM module by the regular read / write operations.
- Since then, new research has emerged showing how to apply this feature to tightly-packed memory chips for practical attacks. Last week, a team of scientists from different countries showed a practical attack on Android-smartphones RAMpage (news). How much is this attack really dangerous? Let’s try to figure it out (spoiler: it’s still unclear).
Let me remind you, Rowhammer’s attack uses the fundamental features of memory chips. Specifically, changing the charge when writing to a specific cell (more precisely, a row of cells) affects neighboring cells (rows), too.
- Usually, this is not a problem, because at regular intervals the charges in all cells are updated. But if you often perform a lot of read-write operations (tens and hundreds of thousands of times), you can change the value in memory cells that you did not initially have access to (all written above is a vulgar simplification, bordering on crime, and the truth is only in the original scientific work).
To adapt this feature of memory for any real attack is not easy: you need the right combination of access rights to the system, the location of the code in memory, direct access to memory without caching, and so on. Not at once, but in four years there were many examples of such combinations, and Rowhammer from the sweet theory turned into a harsh practice.
We will not even try to retell with simple words the attack of RAMpage. This attack bypasses the patches introduced in Android after the discovery (approximately the same group of researchers) of the Drummer attack in 2016.
The combination of several previously known methods that provide direct access to RAM in the right place, and the features of the current version of Android (in the experiment the phone LG G4 with Android 7.1.1 was used) allowed to get superuser rights on a completely patched phone.
- What is not characteristic for research on the new vulnerability, the authors of RAMPage also offer a way to close the vulnerability, with a very small drop in performance (according to Google, the drop there is still significant). Moreover, mitigation (it also came up with a name – GuardION) allows you to include the optimizations turned off in Android after the previous study.
In the best tradition of modern vulnerability marketing vulnerability (and patch) have made the site and logos. But since they are scientists, the FAQ on this site is extremely honest: “No, it’s not Specter, not even close”. “No, we will not show you the PoC.” “We do not know if your phone is susceptible, we only had money for one.”
True, on the site you can download an application that will allow you to test your gadget for the vulnerability yourself. The proposed code for mitigation is also available on GitHub. Google does not tend to exaggerate the danger of research: the attack “does not work on supported devices with Google Android.” We want to say something good about the fragmentation of Android and the difference between supported and used, but somehow another time.
- What if to express themselves in ordinary Russian, happened? Researchers slightly raised the bar of the practicality of another attack, using a hardware vulnerability. It has not yet been applied (and unlikely to be) criminal, and in general from the state “got a rue in the laboratory” to “can attack a significant number of devices of real users” the way is not close.
Google is aware of, and somehow at least in newer versions of Android keeps the problem under control. Such studies require a lot of time, and the danger lies in the possible abrupt transition from quantity (spent man-hours) to quality. Namely: the appearance of some relatively easy (at least like Meltdown) exploited the hole, which can be closed either by purchasing a new device or by a drop in productivity at times.
- However, the proposal above is an imprudent assumption (but the author of the text can, he is not a scientist). Meanwhile, another group of researchers seems to have found yet another hardware vulnerability, this time in the function of hyperthreading in Intel processors.
Moreover, the vulnerability was used to steal an encryption key from a process running in a neighboring “thread” of the same kernel. And the OpenBSD maintainers were so impressed with the results that they decided to turn off the support for the functionality of the processors in the distribution completely (with obvious consequences for performance). The research is planned for publication at the Black Hat conference in August. We continue our observation.