Written by: Daniel Haurey on 08/20/18

throwhammer image

It’s been three years since the introduction of rowhammer, a technique of bypassing memory isolation protection mechanisms to flip bits in memory.  This attack occurs when a hacker gains code execution privileges on a local system and then rapidly writes and rewrites memory to force capacitor errors in DRAM.  This corruption of memory contents can lead to the wrong instructions being executed (i.e. malicious code), or control structures that govern how memory is assigned to programs being altered.  The second scenario can be used by a normal program to gain kernel-level privileges.

It used to be that hackers needed to local obtain code execution on a victim machine to carry out rowhammer attacks.  Not anymore.

Researchers in Amsterdam have just introduced a remote version of throwhammer dubbed throwhammer.  This new attack relies on the same idea that rapid writes and rewrites in memory can cause changes to DRAM capacitors (i.e. the individual bits of data in physical computer memory).

The difference between these two bit-flipping vulnerabilities is that throwhammer can be executed on a separate system connected to the same LAN.  So, the attack could be launched via a Gigabit-capable workstation or server within a corporate on-premise subnet, or from one cloud system to another in the same tenant.  This is possible because modern network cards have direct memory access (DMA) due to their Gigabit+ speeds.

Google has set up a public forum for anyone interested in discussing these row/throwhammer.