Shulou(Shulou.com)06/01 Report--

Today, I would like to talk to you about the Rowhammer attack variant RamPage early warning, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Overview of 0x00 events

360-CERT recently monitored the international academic research team said that almost all Android devices released since 2012 are vulnerable to a new vulnerability called RAMpage, vulnerability number CVE-2018-9442, is a variant of the Rowhammer vulnerability, and said that as the analysis deepens, it may affect personal computers, cloud platforms, and Apple products.

After evaluation, the 360-CERT team believes that the vulnerability risk level is important, and users are advised to refer to the relevant mitigation measures for defense.

0x01 vulnerability description

Rowhammer is the hardware reliability problem of the new generation DRAM chip. A few years ago, researchers found that when attackers read and write the same memory address quickly and repeatedly, read and write operations generate an electric field to change the data of adjacent memory addresses.

The difference between the Drammer Rowhammer vulnerability and the newer RAMpage Rowhammer vulnerability is that RAMpage specifically exploits Rowhammer attacks against the Android memory subsystem ION.

The RAMpage vulnerability (CVE-2018-9442) allows an unprivileged Android application running on a device to gain root privileges on the target device using a previously disclosed Drammer attack. By attacking ION with Rowhammer, an attacker can use RAMpage to break the isolation between user space and system space, thus allowing the attacker to gain root privileges on the target device and its data. Such as passwords in browsers, personal photos, e-mails, instant messages and even key business documents.

Google 2016 Mitigation measures:

In 2016, after details of the Drammer attack were made public, Google launched a patch for the Android device, which disabled one of the ION components responsible for continuous memory allocation (kmalloc heap) in an attempt to reduce the risk of "Rowhammer vulnerability" exploitation.

After disabling continuous heaps, applications and system processes running on Android devices now depend on other kernel heaps remaining in the ION memory manager, such as system heaps, which are used to allocate memory at random physical locations.

In addition to discontiguous memory allocation, the system heap further improves security by allocating kernel memory and user memory to lowmem and highmem areas, respectively.

Specific attack steps:

1. Deplete the system heap-if an attacker deliberately depletes all internal pools of ION, another memory allocation algorithm will be used to allocate memory. Since the main purpose of another memory allocation algorithm is to minimize memory fragmentation, it ultimately provides continuous page allocation (thus bypassing mitigation measure 1 in 2016).

To increase the possibility of exploitation, attackers can further bypass the zone separation mechanism used by the system heap. In order to force their memory pages to be placed in the lowmem allocation where the kernel pages reside, the attacker keeps allocating memory until there is no memory left. Once this happens, the kernel will provide subsequent requests from lowmem (bypass mitigation measure II in 2016).

2. Shrink the cache pool-using Flip Feng Shui utilization vectors, attackers can induce the kernel to store page tables in vulnerable pages.

Releasing the physical memory of the system heap pool back to the kernel indirectly forces the ION subsystem to allocate pre-freed memory pages. Let the system use secondary pages to store page tables.

3. Root-- the device to perform the above two steps to make the page table page of the operating system very adjacent to the page that can be controlled by the attacker, and then the attacker uses Rowhammer to carry out post-sequence attacks to complete the root of the device.

The other three attack methods:

ION-to-ION (Varint R1)

CMA-to-CMA attack (Varint R2)

CMA-to-system attack (Varint R3)

0x02 scope of influence

The report says all Android-based devices from 2012 to now may be affected by the vulnerability. The team of researchers believe that RAMpage may also affect Apple devices, home computers and even cloud servers.

0x03 repair recommendation

Currently, users need to wait for the official push patch of the relevant products. It is recommended that ordinary users install the application only from the trusted source.

The research team released a fix: https://github.com/vusec/guardion Android platform testing tool: https://vvdveen.com/drammer.apk

The vulnerability research team provided a fix called Guardion:

The Guardion code needs to be installed as a patch for the Android operating system, and it modifies the ION memory manager by injecting blank lines to isolate these sensitive buffers, one on the left and one on the right, making it more than one line away from the attacker.

After reading the above, do you have any further understanding of the Rowhammer attack variant RamPage warning? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.