In some modern DRAM devices,“repeatedly accessing a row of memory can cause bit flips in adjacent rows,”according to a blog post penned by Mark Seaborn, sandbox builder and breaker and Thomas Dullien, reverse engineer.
After discovering a the problem on some laptops, the researchers “built two working privilege escalation exploits,” one of which “uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.”
When run on a machine vulnerable to the rowhammer problem, the exploit “was able to induce bit flips in page table entries (PTEs)” on vulnerable machines and “ gain write access to its own page table,” thereby gaining “read-write access to all of physical memory.”
The researchers don't know how many machines are vulnerable or even fixable. They expect that their “PTE-based exploit could be made to work on other operating systems; it is not inherently Linux-specific,” they wrote, explaining that while their “exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM,” there may be other techniques that “might work on non-x86 systems too.”
The duo noted that “the presence of rowhammer mitigations in LPDDR4” indicate that vendors have known about the rowhammer bug for quite some time.
“Looking backward, had there been more public disclosures about the rowhammer problem, it might have been identified as an exploitable security issue sooner,” the post said, noting that vendors may have viewed the bug as a reliability issue rather than a security problem.In July Google announced Project Zero, a team of researchers dedicated to uncovering zero-day vulnerabilities, flaws and other security issues that could represent a threat to internet users.