RAMBleed: A Rowhammer-based side-channel attack that reads memory bits without accessing them

A team of academic researchers recently unveiled a new class of Rowhammer-based attack known as RAMBleed. This newly discovered side-channel attack allows attackers to read memory data on a victim’s Windows computer, without actually accessing the memory.

This vulnerability listed as CVE-2019-0174 is called RAMBleed as the RAM “bleeds its contents, which we then recover through side channel,” the researchers explained at the RAMBleed page.

RAMBleed is used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw which is exploited to cause bits in neighboring memory rows to flip their values.

In their research paper titled “RAMBleed: Reading Bits in Memory Without Accessing Them“, the researchers have shown how an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, researchers say that RAMBleed shifts Rowhammer from being threat not only to integrity but confidentiality as well. This paper will be presented at the 41st IEEE Symposium on Security and Privacy in May 2020.

The researchers also said that they have successfully used RAMBleed to obtain a signing key from an OpenSSH server or rather leaked a 2048-bit RSA key using normal user privileges, enabling information to be taken from targeted devices.  To do so, “we also developed memory massaging methods and a technique called Frame Feng Shui that allows an attacker to place the victim’s secret-containing pages in chosen physical frames.”, the researchers mention in their paper.

Source: RAMBleed.com

Any system that uses Rowhammer-susceptible DIMMs is vulnerable to RAMBleed. Machines with memory chips “both DDR3 and DDR4 with TRR (targeted row refresh) enabled” are vulnerable. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled.

Intel revealed a piece of mitigation advice for researchers in an article and further suggested that “Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks.”

Oracle, in their blog post, state that machines running DDR2 and DDR1 memory chips aren’t affected. “successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system,” Oracle states. No additional security patches are expected for Oracle product distributions, the company said.

Red Hat, in an article, state that there are at least three known DRAM fault exploits, “Rowhammer,” “Spoiler” and “RAMBleed.” Mitigation approach depends on the hardware vendor, according to RedHat:

There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform-specific guidance.

To know more about RAMBleed in detail, visit its official page.

Read Next

Researchers discover new Rowhammer attack, ‘ECCploit’ that bypasses Error Correcting Code protections

Researchers discover Spectre like new speculative flaw, “SPOILER” in Intel CPU’s

NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems