Rowhammer targets Android devices again
Researchers found a new variant of the Rowhammer attack technique which they are calling RAMpage. The vulnerability could allow a hacker to create an exploit to gain administrative control over targeted Android smartphones and tablets. The flaw impacts Android devices dating back to 2012. RAMpage follows a string of Rowhammer variants that have come to light since 2015 when researchers initially identified the flaw in DRAM memory in laptops and PCs. This latest iteration, CVE-2018-9442, was revealed on Thursday by a team of eight academics from four universities and two private companies, who published a technical breakdown of the vulnerability.
Over the last two years, the Rowhammer bug evolved from a hard to exploit DRAM error into a fully weaponized means of attack. Researchers presented rampage, a set of DMA based Rowhammer attacks against the latest Android OS, consisting of a root exploit, and a series of app to app exploit that bypass all defenses. Direct memory access is a method that allows an input / output ( I/O ) device to send or receive data directly to or from the main memory, bypassing the CPU to speed up memory operations. The process is managed by a chip known as a DMA controller ( DMAC ).
The original Rowhammer flaw is a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. This type of bit flipping is also described as electrical crosstalk or transistor leakage. Google's Project Zero initially discovered the Rowhammer vulnerability and showed how a malicious app could produce these bit flips in cells and gain kernel-level privileges to laptops and PCs. In 2016, researchers found out how the PC based Rowhammer attack technique could be applied to Android devices and give a hacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.
The Drammer attack differed from Rowhammer in that it relies on the Flip Feng Shui exploitation technique. A Flip Feng Shui exploitation technique carefully selects the sizes of the portion of memory where dynamically allocated memory resides ( heap ). Next, the Rowhammer attack targets that portion of memory which can flip or change the state of adjacent memory bits, creating a way to manipulate memory. Those bit flips could include simply changing a 0 to 1 or 1 to 0, according to researchers.
The latest variant, RAMpage, works in similar ways. It targets an Android's universal generic memory management system called ION introduced by Google in 2011 as part of Android 4.0. It's part of a subsystem used to manage and allocate memory. An attack consists of a write and refresh request on the device's RAM until it flips a bit in an adjacent row. This opens the door to the device compromise. The prerequisite for a likely attack is a user installing an unprivileged app capable of carrying out the attack. After that, a hacker with full control over a zero-permissions holding, unprivileged Android app that is running on the infected device.
The good news is the researchers have released a tool called Guardion, a software-based security measure against rampage attacks. It prevents a hacker from modifying critical datastructures by carefully enforcing a novel isolation policy. Although Guardion is not deployed in operating systems yet, there are ongoing efforts to deploy it. The source code for Guardion is available online in the form of Android kernel patch. Currently the patch is not widely available and only tested for Google Pixel, running Android 7.1.1 ( Nougat ).