“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.
Accessing the computer system using (code) hammer
Rowhammer attacks were first recognised as a security problem and scientifically investigated in 2014. Attackers exploit vulnerabilities in the hardware to gain access to computer systems. The security holes are not real hardware faults, but rather come about because the DRAM modules in our computers – the memory – are becoming increasingly smaller. These models are composed of individual cells which are either charged (1) or not charged (0) and whose value determines all the computational processes. These small memory cells lying next to each other are arranged in rows and shielded from each other by insulation to prevent disturbance and computer errors. But this only works in a certain, specified context – in other words, only for a particular number of accesses in a predefined period. If the speed of accesses or their number is too high, this can lead to errors. Because computer components are becoming increasingly smaller and at the same time more powerful, and due to the fact that the cells lie even closer together, disturbance errors can be caused, when many cells are accessed or accessed at very high speeds, which change the value of a single cell.
Cells in which sensitive information such as administration rights are defined cannot usually be accessed externally. But the adjacent cells which are used for ordinary computer processes, for instance which are necessary for surfing in internet, can be accessed externally. When these adjacent, unprotected cells are accessed at very high frequency, the value of the attacked cell can be altered due to the resulting disturbance errors. Rowhammer attacks work on this principle. Daniel Gruss explains: “If the administration rights lie exactly in this cell, then the attacker has full access to the system and can, for instance, install malware.”
In 2015 the research team demonstrated that such an attack can be launched while surfing in internet using a Java script from a malicious advertisement on a trustworthy website. Such attacks can also be carried out on smartphones.
A memory module removed from a computer system. These components are the target of rowhammer attacks.
Hardware and software producers have responded to this problem and offered solutions. “The basic assumption underlying our understanding of such attacks and thus all defensive measures up to now was that the attacker had to hammer two rows of cells at the same time in order to bring about a change in value,” explained Gruss. “This creates a very distinctive attack pattern to which one can respond in defence measures.”
“Research developed to such an extent last year that it was assumed that the new hardware components were absolutely safe.” But the TU Graz researchers have now been able to show that the basic underlying assumption was wrong.
After working through the code the whole night long, we knew that this discovery changed everything.
“We examined a new security feature for vulnerabilities. This security feature hides all the computational processes: you don’t see what is going on inside from the outside. We wanted to know what happens when we incorporate a rowhammer attack,” explains Gruss. But the computer crashed again and again. “At first we thought a programming error was the cause, but after working through the code the whole night long, we knew that this discovery changed everything.” This novel combination meant that only one row of cells needed to be hammered to change the value of the attacked cell. As an example, if you use programmes which receive temporary administrator rights for installation processes – for instance a Windows update – then it’s easy for the attacker to get the necessary rights to install malware.
The basis for a rowhammer attack is a precise knowledge of what goes on in the hardware.
Low risk in everyday life
Despite the relative simplicity of the attack, the researchers are playing down the danger it can cause. “Rowhammer attacks are very time consuming and complex. You wouldn’t do something like this for fun,” says Gruss. “You can gain access to the system within seconds through a security hole in the software. It would take hours or even days using the new rowhammer possibilities.”
You can gain access to the system within seconds through a security hole in the software. It would take hours or even days using the new rowhammer possibilities.
But aren’t the researchers with their publication giving criminals the instructions they need for new attacks? “Of course it’s a balancing act. And in our field it’s usual to publish the source code. You have to choose carefully what the research community needs and what would be better not to publish,” explains Gruss. “But it’s better than doing no research at all. Because then the public wouldn’t know anything about these security holes. And hackers could do exactly the same work that we do and track down the holes themselves. Only through public pressure do manufacturers respond to these problems.”
This field of research is part of the FoE „Information, Communication & Computing“, one of TU Graz´s five research foci.