RAMBleed - New DRAM Side-Channel Attack
RAMBleed -New DRAM Side-Channel Attack Allows Access to Sensitive Data in Memory
RAMBleed is based on the Rohammer attack, a technique that was first demonstarted in 2015 by Google Project Zero team. On the Rohammer attack, researcher have demonstrated that bit flips can be exploited for privilege escalation. Rowhammer attacks relied on write side-channels, which involve persistent bit flips that can be mitigated by error-correcting code (ECC) memory.
But in RAMBleed technique its little different, as RAMBleed uses Rowhammer as a read side-channel and it does not require persistent bit flips, allowing it to bypass ECC.
On describing the RAMBleed researcher says-
“Rowhammer induced bit flips are data dependent, i.e. a bit is more likely to flip when the bits above and below it have the opposite charge. This creates a data-dependent side channel, wherein an attacker can deduce the values of bits in nearby rows by observing bit flips in her own memory rows. Finally, as the data in nearby rows might belong to a different process, this leakage breaks the isolation boundaries enforced by the operating system,”“To exploit this effect, we developed novel memory massaging techniques to carefully place the victim's secret data in the rows above and below the attacker's memory row. This causes the bit flips in the attacker's rows to depend on the values of the victim's secret data. The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim's secret data,” - further they added.
In proof-of-concept of RAMBleed researcher have shown the attack on OpenSSH which leads to leaking a 2048-bit RSA key. RAMBleed attacks mainly work against devices that use DDR3 and DDR4 memory modules.
At the meantime, researcher didn't found any evidence that RAMBleed has been exploited in wild, but they made a warning note that commercial security software is unlikely to be able to detect these types of attacks.
As far for the its mitigation, researcher recommends upgrading memory modules to DDR4 with Targeted Row Refresh (TRR) enabled, this feature does not completely block Rowhammer attacks, but it does make them more difficult to carry out in practice.
Currently, Oracle has already released an security advisory for RAMBleed, where they mentioned that they have patched their servers and other infrastructure by guided mitigations.
You can also check RAMBleed site for detail information on RAMBleed.