New RAMpage exploit revives Rowhammer attack to root Android devices

In late 2016, Google’s security team scrambled to fix a critical vulnerability that allowed attackers to gain unfettered root access to Android devices by using a relatively new class of exploit that manipulates data stored in memory chips. Now, 21 months later, many of the same researchers behind the attack, dubbed Drammer, are back to say that a large number of Android phones and tablets remain vulnerable to the rooting attacks because the patches Google deployed weren’t adequate.

Both Drammer and the newly disclosed RAMpage attacks exploit Rowhammer, a class of exploit that alters data stored in memory chips by repeatedly accessing the internal rows where individual bits are stored. By “hammering” the rows thousands of times a second, the technique causes the bits to flip, meaning 0s are changed to 1s and vice versa.

The original Rowhammer attack against PCs made it possible for an untrusted computer application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. A later variation allowed JavaScript hosted on websites to effect the same security-sensitive bitflips.

The Android-based Drammer exploit demonstrated that Rowhammer attacks could have far-reaching effects on a much wider range of devices than was previously assumed, including those running ARM chips. The exploit opened the possibility that apps posing as legitimate wares could surreptitiously root devices and, in the process, neuter key security defenses built into Android that prevent one app from accessing passwords or other sensitive data belonging to the operating system or other apps that run on it.

In the months following the Drammer disclosure, Google mitigated the damage that malicious apps could do by making changes to Android’s ION memory manager, which restricted access to physical contiguous kernel memory.

Not good enough

“With RAMpage, we show that the deployed software patches are not good enough,” Victor van der Veen, a Vrije Universiteit Amsterdam professor who helped devise both Drammer and RAMpage exploits, wrote in an email. “Taking the disabled contiguous heap as an example again, we found that you can still obtain physically contiguous memory by playing with the allocator. By allocating and releasing memory chunks, we can ‘defragment’ physical memory, freeing up large holes. If we then allocate a large chunk, chances of getting contiguous memory increase, and we can confirm this by using existing side channels.”

In a blog post published last Wednesday, Van der Veen and his colleagues said that “every [Android-based] mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected [by RAMpage], which is effectively every mobile phone since 2012.” In an email, he said that he and his colleagues have successfully achieved bit flips on Nexus 5 devices shipped with LPDDR3, a Nexus 4 with LPDDR2, and a Google Pixel 1 with LPDDR4, but they have not done it consistently.

“This is why we state that every mobile device with LPDDR2, LPDDR3, or LPDDR4 is potentially affected: we have seen flips on devices shipped with all these types of memory, but we have also seen devices without any bit flips,” van der Veen explained in the email. “An example is the Google Pixel: of the three devices that we bought, we could only flip bits on two of them.”

People who want to test if their device is vulnerable can download this test app. It requires default Android settings to be changed to allow “sideloading” from non-Google Play sources. The RAMpage bug has been indexed as CVE-2018-9442.

In a research paper accompanying Wednesday’s post, the researchers introduced a mitigation they dubbed GuardION, which they describe as a practical and lightweight defense against RAMpage and most other Android-based Rowhammer attacks. The researchers said Google engineers have yet to implement it because they “concluded that GuardION results in more ‘performance overhead’ on real-world apps than we report in our paper.” The researchers say they’re working with Google to find ways to reduce the performance costs GuardION has on real-world apps.

Large-scale exploits unlikely

Van der Veen also said the difficulty of exploiting RAMpage made it unlikely attackers would publish apps in Google Play or other markets that could successfully root large numbers of vulnerable devices. One complication: depending on the model, row sizes may be 32KB, 64KB, 128KB, or possibly other sizes. The variations change how targeted rows must be hammered. Another factor complicating large-scale exploitation are the subtle differences in the way each manufacturer implements ION. Still, the researcher said he believed RAMpage might be exploited in attacks that target a single individual or organization.

In a statement, Google officials wrote:

We have worked closely with the team from Vrije Universiteit, and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.

A Google spokesman also said that many newer devices contain memory with Rowhammer-specific protections. The spokesman also said that the researchers’ proof-of-concept exploit doesn’t work on any currently supported Google Android devices.

While RAMpage probably doesn't represent a practical threat to most Android users, it's worth remembering the old adage that “attacks always get better [and] never get worse.” The vulnerability is also the latest reminder of the imperative that memory chip manufacturers devise a comprehensive defense against Rowhammer.