This attack is effective against RAM-based devices such as virtual machines, where key material is often stored. The Rowhammer fault injection attack is only effective against RAM-based devices. There is no known way to carry out the attack against devices that store their key material in non-volatile storage such as hard drives or SSDs.

Impacted products: - VMware (RAM-based) - Microsoft Hyper-V (RAM-based) - QEMU (RAM-based) - Xen (RAM-based) - Amazon EC2 (RAM-based) - Alibaba Cloud (RAM-based) - Google Cloud Platform (RAM-based) - clouds operated by Huawei, Tencent, etc. (RAM-based) - clouds operated by Ubiquiti, Citizen, etc. (RAM-based) - clouds operated by ZTE, Lenovo, etc. (RAM-based) - clouds operated by Huawei, Tencent, etc. (hard drive-based) - clouds operated by Ubiquiti, Citizen, etc. (hard drive-based) - clouds operated by ZTE, Lenovo, etc. (hard drive-based) - clouds operated by Huawei, Tencent, etc. (SSD-based) - clouds operated by Ubiquiti, Citizen, etc. (SSD-based) - clouds operated by ZTE, Lenovo, etc. (SSD-based) - clouds operated by Huawei, Tencent, etc. (SSD-

How does Rowhammer attack work?

When a row of memory cells is being accessed, the rowhammer fault injection attack can cause the row to flip from one state of 1 (high) or 0 (low) to the other state. The vulnerable program then reads or writes to that changed cell instead of the intended cell.

The Rowhammer fault injection attack takes advantage of an inherent property of modern DRAM chips that causes some rows to have a different charge than other rows. When a row is being accessed, it can also affect nearby rows which might be in different states. This behavior is known as "Row hammering."
This attack leverages how cells in DRAM are organized in rows and columns with multiple capacitors. By changing the voltage on memory cells at a certain point in time, the attacker can cause nearby rows to change states and read/write to unintended locations.
This vulnerability only impacts programs which operate on data in RAM and no other system components are impacted by this flaw.

The Rowhammer attack

The Rowhammer attack, also known as the Rowhammer bug, is a type of hardware vulnerability that relies on constant accesses to random memory locations in order to exploit it. In the simplest possible attack scenario, an attacker can use this method in order to read from what appears to be a constant location in memory—the system's stack pointer. If a program executes a function or instruction that causes the stack pointer to jump into what was previously thought to be unused memory, this new location may not actually be unused. This would cause a read or write operation at the former location (the stack pointer) to overwrite data stored at the latter location (the new stack pointer), which is often adjacent and/or adjacent to system registers.

- "CVE-2022-42961" - "Rowhammer fault injection attack" - "Rowhammer attack"

Timeline

Published on: 10/15/2022 04:15:00 UTC
Last modified on: 10/20/2022 15:30:00 UTC

References