pixel_dreams - Fotolia

'Ingenious' attack mixes memory deduplication with Rowhammer

Researchers demonstrated an exploit that combines rare attacks on memory deduplication and Rowhammer in order to allow an adversary access to read or write system memory.

New research described an attack that mixes memory deduplication and Rowhammer exploits in a proof-of-concept JavaScript-based attack against the new Microsoft Edge browser, which one expert called an ingenious attack.

Researchers from Vrije Universiteit in Amsterdam, Netherlands, noted in their paper, Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector, the "exploit can allow an attacker to gain arbitrary memory read [and] write access and 'own' a modern Microsoft Edge browser, even when the target browser is entirely free of bugs, with all its defenses are turned on."

The attack leverages memory deduplication processes built into Windows 8.1 and Windows 10 to craft a reliable exploit based on the Rowhammer hardware vulnerability. Memory deduplication is a popular method used to minimize memory usage by combining memory pages that contain the same data, while a Rowhammer exploit repeatedly accesses a row of memory, causing bit flips in adjacent rows of some DRAM devices.

According to Robert Graham, CEO of Atlanta-based Errata Security, both of these types of exploits are rare, making the combination ingenious, but of limited use right now.

"It's a practical way of getting some small bit of data out of a system if you already know a lot about what is going on in the system," Graham said. "It could be used to reveal passwords, or it could be used in other cases to find sensitive pieces of data from the machine that could be combined to exploit the machine. Rowhammer is a physical attack and deduplication is part of the operating system, which means anything right on the machine is potentially vulnerable to that."

Graham noted the risk was limited by a few factors, the first of which is the attacker would need to know what is on a system in order to make the most use of the exploit. Additionally, the attack won't work on every device. Not only does the memory deduplication exploit require Windows 8.1 or Windows 10 and a JavaScript exploit in the Microsoft Edge browser, but Rowhammer only works on certain DRAM chips.

Graham said Rowhammer is not something hackers can exploit widely. More reliable exploits have been developed for DDR3 DRAM chips, but newer machines use DDR4 memory, which has not been as vulnerable. Only certain DDR4 chips have been found to be vulnerable to Rowhammer.

"That's one of those things about exploits -- over time, they only get worse. So, when Rowhammer came out, it was just DDR3, and now it's DDR4 and there's this interaction with this Microsoft feature," Graham said. "It only gets worse."

Next Steps

Learn about the difference between memory sharing and overcommitment.

Find out if Rowhammer could mark a new wave of hardware vulnerabilities.

Get more info on virtualizing backup deduplication.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)