Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

08:15 AM
Larry Loeb
Larry Loeb
Larry Loeb

Throwhammer & Nethhammer Show How Chips Are Vulnerable to Bit Flips

In a pair of papers released over the last week, researchers have shown how two different types of attacks, Throwhammer and Nethhammer, can cause a bit flip in chips by sending packets across a standard network.

First there was the Rowhammer problem. Researchers at Google identified a way that the RAM of a computer could be altered in its state -- bit flips -- to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.

The bit flips, according to Google, that it caused in page table entries (PTEs) could allow malware to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Running code on the victim machine was necessary to do this, which meant having the attack code placed on the machine itself or luring users to some website that hosted malicious JavaScript.

However, in the last two weeks, researchers at the Vrije Universiteit Amsterdam and the University of Cyprus showed how packets delivered to the victim machine over a network could cause the same type of vulnerability.

(Source: Pexels)
(Source: Pexels)

The network attack was enabled by fast network speeds that allowed the attacker to send specially designed packets in a rapid succession.

"We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network," according to the research paper.

The researcher's attack -- named Throwhammer -- was effective on servers using memcached techniques. This is a distributed memory caching system used by many websites to reduce pulling data from other external servers. In this method, an application will reserve space inside a network card to store packets it wants to store from remote direct memory access (RDMA) channels.

Throwhammer meant that cloud services were directly at risk to this attack from their networks if they used RAM chips that did not physically guard against bit flips such as DDR2, DDR3 or DDR4 chips.

Over this past weekend, however, separate research from the team that discovered the Spectre and Meltdown side-channel vulnerabilities in x86 chips showed that a network could deliver other ways to cause Rowhammer-style bit flips.

These researchers found that systems using uncached memory or flush instructions while handling network requests -- not just RDMA -- were vulnerable to what they called Nethammer.

The authors describe the situation: "Nethammer sends a crafted stream of network packets to the target device to mount a one-location or single-sided Rowhammer attack by exploiting quality-of-service technologies deployed on the device."

This means they found a way to bypass the caching that is routinely used and send the attack directly into the DRAM to cause the row conflicts required for hammering.

The attack requires high-speed connections.

"In our experiments, we sent a stream of UDP packets with up to 500 Mbps to the target system. We were able to induce a bit flip every 350 ms," according to the research note.

That need for speed may be a way to mitigate attacks of this kind. Controlling traffic spikes may be a way out, but even short spikes may allow this kind of attack.

Security has long focused on software as the attack enabler. Nethammer shows how hardware itself can be the underlying problem and how resistant it may be to a simple solution.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-01-19
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image
PUBLISHED: 2022-01-19
Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.
PUBLISHED: 2022-01-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.
PUBLISHED: 2022-01-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.
PUBLISHED: 2022-01-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.