The row hammer bug

by Michael Tremer, March 11, 2015

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

An other week, an other major security bug. This one has not been in all the newspapers, yet, but I still wanted to drop some lines. The main thing: IPFire is kind of safe.

As a short introduction to the actual bug, let’s see what Wikipedia says: Row hammer (also written as rowhammer) is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, altering the content of nearby memory rows that actually were not addressed in the original memory access. This circumvention of the DRAM memory cells isolation results from the high cells density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly access the same memory rows numerous times. The row hammer effect has been used in some privilege escalation computer security exploits. Different hardware-based techniques exist to prevent the row hammer effect from occurring, including required support in some processors and types of DRAM memory modules.

So this can actually be used to flip the rights bits in the system memory and give some process more permissions than it should have and worse things. IPFire is patched with grsecurity and PaX. Certain features in that cause that some memory regions near and including the interesting bits are not accessible by user-space processes. That makes it more unlikely that an attacker is able to flip bits to exploit privileges or similar.

However it is still possible to flip random bits in memory. This is a hardware bug and therefore this is possible with all sorts of software. Completely independent from the operating system. I tested some hardware that I have access to. These are the results of running a test by Google:

IPFire Premium/Professional Appliance not vulnerable – uses ECC memory
IPFire Eco Appliance not vulnerable
IPFire Prime Appliance not vulnerable