The attack is nasty because it allows kernel-level privilege escalation - the holy grail of hacks
At this week’s Woot ’17 USENIX conference in Vancouver, researchers from Big Blue showed off a filesystem-level version of the attack against MLC NAND flash memory.
Researchers Anil Kurmus, Nikolas Ioannou, Matthias Neugschwandtner, Nikolaos Papandreou and Thomas Parnell said that the file system layer of this attack, shows that a random block corruption of a carefully chosen block is sufficient to achieve privilege escalation.
“In particular, to motivate the assumptions of this filesystem-level attack, we show the attack primitive that an attacker can obtain by making use of cell-to-cell interference is quite weak, and therefore requires a carefully crafted attack at the OS layer for successful exploitation,” the researchers said.
The Rowhammer hits deep layers of memory management, and in this case against flash memory, bring a lower barrier to entry.
“We use our knowledge of existing reliability mechanisms in SSDs (including ECC), to show that the attack primitive an attacker can obtain from MLC NAND flash weaknesses is a coarse granularity corruption: unlike in Rowhammer, where the attacker can flip a single bit, in the case of this attack the attacker can only corrupt one block of data,” the researchers said.
“We then show that this weaker attack primitive (when compared to flipping individual bits, which provides a higher level of control to the attacker) is nevertheless sufficient to mount a local privilege escalation attack.”
The flash version of the Rowhammer attack is a local attack, and can be carried out via side-channels, for example. The major weakness in flash being exploited is cell-to-cell interference, which affects the reliability of NAND devices. The interference results from programming voltages interfere with adjacent cells in a memory array, the researchers said.
Published in
News
Rowhammer comes to MLC NAND flash
Holy grail for hackers
Two years after Google showed how Rowhammer attacks could flip dynamic random access memory (DRAM) bits to induce those memory cells to change their state, IBM has shown how it can target MLC NAND flash memory.
Tagged under