I like to read scientific papers investigating computer vulnerabilities. They have something that the information security industry often lacks, namely, caution when formulating certain assumptions. This is a virtue, but there is a drawback: as a rule, the practical benefits or harm from a newly discovered fact are not obvious, too fundamental phenomena are subjected to research. This year we learned a lot about new hardware vulnerabilities, starting with Specter and Meltdown, and usually this new knowledge appears in the form of scientific work. The qualities of these hardware problems are appropriate: entire classes of devices are subject to them, they are difficult (if not impossible at all) to be completely closed with software, the potential damage is also incomprehensible. What can I say, it is sometimes difficult to understand how they work at all.
It goes something like this with the Rowhammer class vulnerabilities. Four years ago, it was discovered that it was possible in principle to change the “neighboring” bits in the RAM module by regular read / write operations. Since then,
new research has
emerged showing how to apply this feature of tightly packed memory chips to practical attacks. Last week, a team of scientists from different countries showed a practical attack on Android smartphones RAMpage (
news ,
research ). How dangerous is this attack? Let's try to figure it out (spoiler: unclear for now).
Let me remind you, attack Rowhammer uses the fundamental features of memory chips. Specifically, the change in charge when writing to a specific cell (more precisely, a number of cells) affects the neighboring cells (rows), too. This is usually not a problem, since after a certain period of time the charges in all cells are updated. But if you often read and write a lot (tens and hundreds of thousands of times), you can change the value in memory cells to which you initially did not have access (everything written above is a vulgar simplification bordering on crime, and the
truth is only in the
original scientific work ). It is not easy to adapt this memory feature for any real attack: you need the right combination of system access rights, code location in memory, direct memory access without caching, and so on and so forth. Not immediately, but in four years there were quite a few examples of such combinations, and Rowhammer turned from a nice theory into a harsh practice.
When you need a picture about computers, hammers and securityI will not even try to retell in simple words the RAMpage attack. This attack bypasses the patches embedded in Android after the discovery (approximately by the same group of researchers) of the
Drammer attack in 2016. The combination of several previously known methods that provide direct access to the RAM in the
right place , and the features of the modern version of Android (the experiment used the LG G4 phone with Android 7.1.1) made it possible to get the superuser rights on the fully patched phone.
What is uncharacteristic for researching a new vulnerability, the authors of RAMPage also offer a way to close the vulnerability, and with a very slight drop in performance (according to Google, the drop is still significant there). Moreover, the mitigation (she also came up with a name - GuardION) allows you to turn back the optimization turned off in Android after a previous study.
In the best traditions of modern vulnerability marketing vulnerability (and patch) made the
site and logos . But since these are scientists, the FAQ on this site is extremely honest: “No, this is not Specter, not even near”. "No, we will not show you the PoC." “We don’t know if your phone is susceptible
, we only had money for one .” However, on the site you can download an application that will allow you to test your gadget for vulnerability yourself. The proposed code for mitigation is also
available on GitHub . Google is not inclined to exaggerate the danger of research: the attack "does not work on supported devices with Google Android." I want to say something good about the fragmentation of Android and the difference between supported and used, but somehow another time.
What, if expressed in ordinary Russian, happened? The researchers slightly raised the bar of the practicality of another attack that uses hardware vulnerabilities. It does not yet apply (and is unlikely to be) crime, and generally from the state of “received a root in the laboratory” to “we can attack a significant number of devices of real users” the path is not close. Google is aware, and somehow at least in new versions of Android keeps the problem under control. Such studies require a lot of time, and the danger lies in the possible abrupt transition from quantity (man-hours spent) to quality. Namely: the emergence of some relatively easy (at least as Meltdown) exploited hole, which can be closed either by buying a new device, or by dropping performance at times.
However, the sentence above is already a careless assumption (
but the author of the text is possible, he is not a scientist ). Meanwhile, another group of researchers seemed to have
found another hardware vulnerability, this time in the hyperthreading function in Intel processors. Moreover, the vulnerability was used to steal the encryption key from a process running in the neighboring thread of the same kernel. And OpenBSD's maintainers were so impressed with the results that they decided to turn off support for processor functionality in the distribution kit completely (with obvious consequences for performance). The research work is scheduled for publication at the Black Hat conference in August. We continue the observation.
Disclaimer: Ahhhh, I forgot to add a disclaimer in the previous post. What to do? What will happen to me? I'll be fired? Earth will fly on the heavenly axis? Find a vulnerability in power cables? Who am I? What kind of place is it? Such a bright white light. The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.