Throwhammer & Nethhammer Show How Chips Are Vulnerable to Bit Flips

In a pair of papers released over the last week, researchers have shown how two different types of attacks, Throwhammer and Nethhammer, can cause a bit flip in chips by sending packets across a standard network.

Larry Loeb, Blogger, Informationweek

May 18, 2018

3 Min Read

First there was the Rowhammer problem. Researchers at Google identified a way that the RAM of a computer could be altered in its state -- bit flips -- to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.

The bit flips, according to Google, that it caused in page table entries (PTEs) could allow malware to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Running code on the victim machine was necessary to do this, which meant having the attack code placed on the machine itself or luring users to some website that hosted malicious JavaScript.

However, in the last two weeks, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed how packets delivered to the victim machine over a network could cause the same type of vulnerability.

(Source: Pexels)

(Source: Pexels)

The network attack was enabled by fast network speeds that allowed the attacker to send specially designed packets in a rapid succession.

"We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network," according to the research paper.

The researcher's attack -- named Throwhammer -- was effective on servers using memcached techniques. This is a distributed memory caching system used by many websites to reduce pulling data from other external servers. In this method, an application will reserve space inside a network card to store packets it wants to store from remote direct memory access (RDMA) channels.

Throwhammer meant that cloud services were directly at risk to this attack from their networks if they used RAM chips that did not physically guard against bit flips such as DDR2, DDR3 or DDR4 chips.

Over this past weekend, however, separate research from the team that discovered the Spectre and Meltdown side-channel vulnerabilities in x86 chips showed that a network could deliver other ways to cause Rowhammer-style bit flips.

These researchers found that systems using uncached memory or flush instructions while handling network requests -- not just RDMA -- were vulnerable to what they called Nethammer.

The authors describe the situation: "Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device."

This means they found a way to bypass the caching that is routinely used and send the attack directly into the DRAM to cause the row conflicts required for hammering.

The attack requires high-speed connections.

"In our experiments, we sent a stream of UDP packets with up to 500 Mbps to the target system. We were able to induce a bit flip every 350 ms," according to the research note.

That need for speed may be a way to mitigate attacks of this kind. Controlling traffic spikes may be a way out, but even short spikes may allow this kind of attack.

Security has long focused on software as the attack enabler. Nethammer shows how hardware itself can be the underlying problem and how resistant it may be to a simple solution.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights