Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/18/2018
08:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Throwhammer & Nethhammer Show How Chips Are Vulnerable to Bit Flips

In a pair of papers released over the last week, researchers have shown how two different types of attacks, Throwhammer and Nethhammer, can cause a bit flip in chips by sending packets across a standard network.

First there was the Rowhammer problem. Researchers at Google identified a way that the RAM of a computer could be altered in its state -- bit flips -- to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.

The bit flips, according to Google, that it caused in page table entries (PTEs) could allow malware to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Running code on the victim machine was necessary to do this, which meant having the attack code placed on the machine itself or luring users to some website that hosted malicious JavaScript.

However, in the last two weeks, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed how packets delivered to the victim machine over a network could cause the same type of vulnerability.

(Source: Pexels)
(Source: Pexels)

The network attack was enabled by fast network speeds that allowed the attacker to send specially designed packets in a rapid succession.

"We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network," according to the research paper.

The researcher's attack -- named Throwhammer -- was effective on servers using memcached techniques. This is a distributed memory caching system used by many websites to reduce pulling data from other external servers. In this method, an application will reserve space inside a network card to store packets it wants to store from remote direct memory access (RDMA) channels.

Throwhammer meant that cloud services were directly at risk to this attack from their networks if they used RAM chips that did not physically guard against bit flips such as DDR2, DDR3 or DDR4 chips.

Over this past weekend, however, separate research from the team that discovered the Spectre and Meltdown side-channel vulnerabilities in x86 chips showed that a network could deliver other ways to cause Rowhammer-style bit flips.

These researchers found that systems using uncached memory or flush instructions while handling network requests -- not just RDMA -- were vulnerable to what they called Nethammer.

The authors describe the situation: "Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device."

This means they found a way to bypass the caching that is routinely used and send the attack directly into the DRAM to cause the row conflicts required for hammering.

The attack requires high-speed connections.

"In our experiments, we sent a stream of UDP packets with up to 500 Mbps to the target system. We were able to induce a bit flip every 350 ms," according to the research note.

That need for speed may be a way to mitigate attacks of this kind. Controlling traffic spikes may be a way out, but even short spikes may allow this kind of attack.

Security has long focused on software as the attack enabler. Nethammer shows how hardware itself can be the underlying problem and how resistant it may be to a simple solution.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...