RAMBleed Side-Channel Attack Method Disclosed by Researchers
Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.
The vulnerability, listed as CVE-2019-0174, got the RAMBleed name because random access memory "bleeds its contents, which we then recover through a side channel," the researchers explained at their RAMBleed page. The side-channel aspect perhaps may refer to speculative execution side-channel attack methods, which are ways to coax information from microprocessors. The hardware and software industry first publicized those attack methods in January of last year with the publication of the "Meltdown" and "Spectre" attack methods. Many more such methods have since emerged from researchers.
RAMBleed is a little different in that it's used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw described about four years ago, which is exploited to cause bits in neighboring memory rows to flip their values. The researchers found that they could use those flips to determine information in an adjacent memory row. In their RAMBleed proof-of-concept description, their attack method was used to "leak a 2048-bit RSA key," they explained.
The attack objective in this case was information in an OpenSSH 7.9 RSA key, but "RAMBleed can be used for reading other data as well," the researchers noted. They performed a proof-of-concept attack as part of their research. It's unclear if the techniques have been used by anyone else for actual attacks.
Machines with memory chips susceptible to Rowhammer attacks are potentially vulnerable, including "both DDR3 and DDR4 with TRR (targeted row refresh) enabled," the researchers indicated. However, they also suggested that upgrading to DDR4 with TRR turned on would still serve as a mitigation because exploits are "harder to accomplish in practice."
Chipmakers have been fairly low key about RAMBleed. Intel Corp. echoed the researchers' mitigation advice in an article, and also suggested that the "Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks."
Oracle provided perhaps the clearest description about RAMBleed, noting that machines running DDR2 and DDR1 memory chips aren't affected. Oracle's article importantly highlighted that "successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system." Software patches on top of the mitigation efforts likely won't be required for Oracle products, the company suggested.
Red Hat noted in an article that there are at least three known DRAM fault exploits, namely "Rowhammer," "Spoiler" and "RAMBleed." The exact mitigation approach to use apparently depends on the hardware vendor, according to the article:
There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform specific guidance.
Apparently, client devices are mostly subject to RAMBleed attacks. For instance, the article stated that a RAMBleed attack "has not been demonstrated on server platforms in part due to the added complexity introduced by the widespread use of ECC [error-correcting code] memory." However, it's theoretically possible to circumvent ECC, the article added.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.