Drammer: a ‘Deterministic Rowhammer Attack’ to gain root permissions on Android devices

A new attack technique that exploits the Rowhammer hardware vulnerability on Android devices


Earlier last year, security researchers from Google’s Project Zero discovers Rowhammer, a hardware bug that allows attackers to manipulate data in memory without accessing it: by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one).

As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.

Now, this designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of affected devices.

Researchers of VuSec has created a new proof-of-concept exploit, dubbed DRAMMER, that can alter crucial bits of data in a way that completely roots big brand Android devices like Samsung, OnePlus, LG and Motorola.

Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid: practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched.

From the project page:

We developed an Android app — not yet in Google Play, but available directly — to test your device for the Rowhammer bug. The app uses a native binary for which we also released the source code. After a successful run, the app uploads anonymized output. We will use this to get a better understanding of how widespread the Rowhammer bug is. Of course, you can opt out of sharing results.

Please note the following:

  • Currently, when finished its hammering session, the app does not give you a nice popup that tells you whether you are vulnerable or not. We will try to add this as soon as possible. Meanwhile, you can easily spot induced bit flips by glancing over the output and looking for the obvious keyword FLIP.
  • Your phone might still be vulnerable, even if the app detected zero flips! There are two main reasons for this. First, our current implementation of address selection is conservative: we recently discovered that the current code is only hammering half of the rows on a Nexus 5. On your device, the DRAM geometry might be different enough for our app to completely fail selecting addresses for double-sided rowhammer. Second, the app may only have tested a very small fraction of your DRAM. Ideally, a single run takes at least an hour and scans a couple hundred of MB. The current code already tries to free as much memory as possible to hammer (affected by the aggressiveness factor), but there are probably better ways of doing this.

VuSec has also developed a Rowhammer simulator that allows researchers and practitioners to simulate hardware bit flips in software, using bit-flip patterns (or fliptables) from a large set of DRAM chips.

The sourcecode is available on GitHub:

https://github.com/vusec/hammertime

Here a video of DRUMMER attack on Android 6.0.1

…and a video of DRAMMER attack combined with Stagefright bug:


The original paper

https://vvdveen.com/publications/drammer.pdf


Links and references

https://github.com/vusec/hammertime
https://github.com/vusec/hammertime
https://github.com/vusec/hammertime

Comments