Rowhammer is a security exploit in certain types of dynamic random-access memory (DRAM) chips. It allows an attacker to manipulate data in memory without having direct access to it. It involves repeatedly accessing (or “hammering”) a row of memory cells and causing a bit flip (changing a 0 to a 1 or the other way around) in an adjacent row. Attackers can then exploit this ability for malicious purposes.
The issue was first documented by researchers at Google’s Project Zero in 2014. However, the academic community had been discussing the fundamental vulnerability even before that. At first, the flaw was considered hard to exploit in the real world. But researchers have since developed several proofs of concept that show its potential uses, including remote attacks.
Dangers of rowhammer
- Privilege escalation. If a malicious program can cause a bit flip in the right place, it can elevate its privileges on a system. That would allow it to perform certain actions without needing permission.
- Information leakage. The rowhammer bug can be used to break isolation between different processes and between user space and kernel space. That would allow an attacker to access sensitive information.
- Persistence. Because it’s a hardware issue, rowhammer can’t be fixed with a software patch. The problem persists until the affected hardware is replaced.
- Widespread impact. A lot of modern devices, from servers to smartphones, use the types of DRAM that are vulnerable to rowhammer.
- Remote exploitability. The initial demonstrations of the rowhammer bug required local access to the machine. But later research showed that it could be exploited remotely, for example, through a malicious website. This increases the potential attack surface significantly.