The emergence of two successful proof-of-concept 'Rowhammer' exploits affecting an unknown number of x86 systems proves that current design practices do not put enough emphasis on security, according to experts in the security community.
The concerns arose when Google Project Zero published a paper by researcher Mark Seaborn detailing two working Rowhammer exploits that could be used by hackers to gain privilege escalation.
The first exploit uses "Rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process", and can be used to "gain write access to its own page table, and hence gain read-write access to all of the physical memory".
The second uses a bug in Google's browser sandbox, Native Client, that was fixed in Chrome versions 38 and 39.
Rowhammer relates to a double data rate type-three synchronous dynamic random-access memory (DDR3) flaw discovered 2012. The flaw becomes apparent when DDR3 is used in high-performance computing applications.
Cisco explains in a Rowhammer threat advisory: "[It is] a flaw that existed in general purpose computing devices that were used to perform distributed high-speed data processing.
"The flaw became a prevalent issue due to the die shrinkage (40nm and below) of high-density DRAM parts, which enabled the creation of today's large capacity memory modules.
"This particular error was named ‘Rowhammer' as the flaw is triggered by the electrical charge of a row of memory cells being leaked into an adjacent row while the leaking row is ‘hammered' with active commands."
Ignoring the threat
Rowhammer was originally viewed as "too much trouble to be worth" exploiting. The Project Zero research challenged this.
"Vendors may have considered Rowhammer to be only a reliability issue, and assumed that it is too difficult to exploit," read the research paper.
"However, many bugs that appear to be difficult to exploit have turned out to be exploitable. These bugs might initially appear to be ‘only' reliability issues, but are really security issues."
The Project Zero researchers added that manufacturers' willingness to list Rowhammer as a performance problem may have blinded them to its security implications.
"Looking back, had there been more public disclosures about the Rowhammer problem it might have been identified as an exploitable security issue sooner," read the research.
"It appears that vendors have known about Rowhammer for a while, as shown by the presence of Rowhammer mitigations in LPDDR4. It may be that vendors only considered Rowhammer to be a reliability problem.
"The release of more technical information about Rowhammer would aid evaluation of which machines are vulnerable and which are not."
Experts in the security community have mirrored the Project Zero researchers' sentiments. Ian Pratt, co-founder of Bromium, argued the lack of awareness about Rowhammer is indicative of a generally lax attitude towards hardware security.
"Rowhammer is a stark reminder to hardware vendors that, if they push the performance or cost-reduction envelopes too much, they will end up shipping systems in which hardware errors may be provoked by attackers and exploited," he said.
Lancope CTO TK Keanini agreed, saying that, even with the Google Project Zero research, it is unlikely that many firms will bother addressing the problem.
"This type of low-level exploitation is extremely serious because it is below any type of operating system or application level security. The analogy would be the difference between picking locks or being able to manipulate the lock's atomic structure to gain access," he told V3.
"As noted too, no-one is sure how widespread this flaw really is at this point. The bad news is that most hardware vendors are not likely to pay attention to this until it is widely exploited."
Pratt added that, while serious, it will be some time before we see a Rowhammer attack in the wild.
"The Rowhammer attack is most viable used as a local privilege escalation after the attacker has managed to get full code execution capabilities in a user account, perhaps by first using a browser or document exploit," he said.
"Since commodity operating systems (Windows, OS X, Linux) tend to have numerous local privilege escalation vulnerabilities, it's highly unlikely that we are going to start seeing a spate of attacks using Rowhammer, particularly as Rowhammer-like exploits are far from reliable and are likely to cause system crashes."
The manufacturing industry is one of many criticised for lax security practices. Researchers at McAfee censured the development community in February after discovering that a number of "popular" Android applications still do not have critical Heartbleed patches installed.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software