ECCploit: New variant of Rowhammer attack found bypassing ECC memory

  • The new exploit can allow an untrusted app to gain full administrative rights.
  • Researchers found that it can take anywhere between 32 minutes to a week to execute an ECCploit attack.

A new variant of the Rowhammer attack dubbed ECCploit bypasses Error-Correcting Code (ECC) protections. ECC memory is built in several widely used models of DDR3 chips. In a research paper titled ‘ECCploit’, academicians expanded the characteristics of the new version while comparing the functionalities of the new attack to the previous version.

What is Rowhammer?

For the uninitiated, Rowhammer is a vulnerability in dynamic random access memory (DRAM) chips that can allow attackers to gain access to systems. The attack could be used to escalate administrative privileges on computers and networks. It affects DDR3 and DDR4 SDRAM modules.

In early 2015, researchers discovered that by reading data stored in just one row in DRAM repeatedly, they could manipulate the data stored in other memory rows and cause data corruption.

In the following years, research on the Rowhammer attack led to various other theories, such as using JavaScript and the web to conduct the attack, taking over Windows computers via the Microsoft Edge browser, taking over Linux-based virtual machines installed in cloud hosting environments. Researchers also discovered that the Rowhammer attack could allow attackers to gain root permissions on an Android smartphone and target an Android memory subsystem called ION.

What does the new theory say?

In the recent research paper, researchers developed a new variation of the Rowhammer attack and found that the attack could bypass ECC memory.

During the analysis, the researchers observed that the new exploit is capable of flipping two bits, which can have major consequences. For instance, this can allow an untrusted app to gain full administrative rights, evade detection by sandbox or virtual-machine hypervisor, or root out devices running the vulnerable Dual In-line Memory Module (DIMM).

However, there are several challenges to make a successful attack attempt using the variant. Researchers explained that the foremost challenge for attackers is to find the ECC algorithm implemented in the memory controller of the targeted system’s processor, in order to initiate the attack. The other disadvantage is that it takes anywhere between 32 minutes to a week to execute the ECCploit attack, which is considered to be a significantly long period of time for hackers to launch an attack.