Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/18/2018
08:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Throwhammer & Nethhammer Show How Chips Are Vulnerable to Bit Flips

In a pair of papers released over the last week, researchers have shown how two different types of attacks, Throwhammer and Nethhammer, can cause a bit flip in chips by sending packets across a standard network.

First there was the Rowhammer problem. Researchers at Google identified a way that the RAM of a computer could be altered in its state -- bit flips -- to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.

The bit flips, according to Google, that it caused in page table entries (PTEs) could allow malware to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Running code on the victim machine was necessary to do this, which meant having the attack code placed on the machine itself or luring users to some website that hosted malicious JavaScript.

However, in the last two weeks, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed how packets delivered to the victim machine over a network could cause the same type of vulnerability.

The network attack was enabled by fast network speeds that allowed the attacker to send specially designed packets in a rapid succession.

"We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network," according to the research paper.

The researcher's attack -- named Throwhammer -- was effective on servers using memcached techniques. This is a distributed memory caching system used by many websites to reduce pulling data from other external servers. In this method, an application will reserve space inside a network card to store packets it wants to store from remote direct memory access (RDMA) channels.

Throwhammer meant that cloud services were directly at risk to this attack from their networks if they used RAM chips that did not physically guard against bit flips such as DDR2, DDR3 or DDR4 chips.

Over this past weekend, however, separate research from the team that discovered the Spectre and Meltdown side-channel vulnerabilities in x86 chips showed that a network could deliver other ways to cause Rowhammer-style bit flips.

These researchers found that systems using uncached memory or flush instructions while handling network requests -- not just RDMA -- were vulnerable to what they called Nethammer.

The authors describe the situation: "Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device."

This means they found a way to bypass the caching that is routinely used and send the attack directly into the DRAM to cause the row conflicts required for hammering.

The attack requires high-speed connections.

"In our experiments, we sent a stream of UDP packets with up to 500 Mbps to the target system. We were able to induce a bit flip every 350 ms," according to the research note.

That need for speed may be a way to mitigate attacks of this kind. Controlling traffic spikes may be a way out, but even short spikes may allow this kind of attack.

Security has long focused on software as the attack enabler. Nethammer shows how hardware itself can be the underlying problem and how resistant it may be to a simple solution.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...