Nethammer: Inducing Rowhammer Faults through Network Requests (I will write a comment in just a second. I'd read that before clicking the link.)

(post is archived)

[–] • 0 pt

I submitted a fairly light-on-details article about this about a week ago. This link will take you to the ARXIV site and it's probably not something most folks here are going to need to read - though the extract might be worth reading.

If you understand what a rowhammer attack is, this is a new attack that's enabling you to do that attack over a network.

I'm not sure I can put this into accurate text, but I'm going to try.

When you run a program, your operating system puts it in RAM. This is a physical location on the RAM stick - it's an address. The rowhammer attack is basically smashing your way out of that physical address space to try to exploit/see what's in an adjacent stack. Now, your operating system probably uses something called random address space allocation (or something similar) which means that things aren't always placed in the same spot in the memory.

So, this rowhammer is basically smashing the nearby memory blocks to see what it can find. It's not very specific and it's not always a well aimed threat - but it's effective because it can be done with brute force. If you smash enough bricks in BreakOut, you'll go on to the next level. Think of it like that.

Well, this new attack is novel because they're doing this over a network. Before, rowhammer was always done locally - on your CPU and RAM. This enables the attacker to instigate the attacks remotely.

Now, how realistic is this in the wild? Probably not very. It's probably not a giant threat unless you're a very, very high value target. There's actually easier ways but this is just one more card to put in the attacker's deck. If they can't get you with spear phishing, they can try this.

Again, you're almost certainly not at risk. There's nothing you have on your computer that's worth the effort and investment this is going to take. An attacker that you'd be worried about is almost certainly a mass attack and this is for very, very specific targets.

Put it this way, if you're at risk of being attacked by this - then you sure as shit should know more about this than I do.

Anyhow, I've tried to give you a light description of it. That's how I understand it and I welcome correction or addition - but I think I have it fairly well understood. As I used to work with data that was proprietary and distinctly did not belong to me, I employed people who did things like give talks at BlackHat and Defcon. I've been to both, a number of times, and other such conferences.

I'm by no means an expert. I employed experts. There's a huge difference. The best I can offer is a light description and try to answer any questions.

I submitted a fairly light-on-details article about this about a week ago. This link will take you to the ARXIV site and it's probably not something most folks here are going to need to read - though the extract might be worth reading. If you understand what a rowhammer attack is, this is a new attack that's enabling you to do that attack over a network. I'm not sure I can put this into accurate text, but I'm going to try. When you run a program, your operating system puts it in RAM. This is a physical location on the RAM stick - it's an address. The rowhammer attack is basically smashing your way out of that physical address space to try to exploit/see what's in an adjacent stack. Now, your operating system probably uses something called random address space allocation (or something similar) which means that things aren't always placed in the same spot in the memory. So, this rowhammer is basically smashing the nearby memory blocks to see what it can find. It's not very specific and it's not always a well aimed threat - but it's effective because it can be done with brute force. If you smash enough bricks in BreakOut, you'll go on to the next level. Think of it like that. Well, this new attack is novel because they're doing this over a network. Before, rowhammer was always done locally - on your CPU and RAM. This enables the attacker to instigate the attacks remotely. Now, how realistic is this in the wild? Probably not very. It's probably not a giant threat unless you're a very, very high value target. There's actually easier ways but this is just one more card to put in the attacker's deck. If they can't get you with spear phishing, they can try this. Again, you're almost certainly not at risk. There's nothing you have on your computer that's worth the effort and investment this is going to take. An attacker that you'd be worried about is almost certainly a mass attack and this is for very, very specific targets. Put it this way, if you're at risk of being attacked by this - then you sure as shit should know more about this than I do. Anyhow, I've tried to give you a light description of it. That's how I understand it and I welcome correction or addition - but I think I have it fairly well understood. As I used to work with data that was proprietary and distinctly did not belong to me, I employed people who did things like give talks at BlackHat and Defcon. I've been to both, a number of times, and other such conferences. I'm by no means an expert. I employed experts. There's a huge difference. The best I can offer is a light description and try to answer any questions.

link