News / Rowhammer: another case study in why you shouldn’t panic

‘Rowhammer’ hit the press recently. And, as you will know, it’s not a reference to a character in a computer game (although it sounds like quite a good name to me). Instead, it’s a recently discovered IT security vulnerability.

Normally that’s nothing new, but this time it’s one with a difference.

Predictably, the media has had a field day. Because for once, rowhammer turned out not to be a software-related vulnerability, but a hardware vulnerability.

Specifically, it’s a weakness in a specific type of computer memory that makes that memory vulnerable to attacks via repeated accesses of a particular ‘row’ of memory locations – hence the ‘hammering’ reference.

If you hammer a row often enough then ‘bit flips’ can be triggered in adjacent rows. So if you target the right rows, it could be possible to induce bit flips in page table entries, holding out the prospect of gaining control of the machine in which the memory is installed.

And when two Google engineers attempted to do just this, they were successful on 15 out of 29 occasions.

Which isn’t good news.

Rowhammer: the facts, just the facts

But it isn’t necessarily catastrophically bad news, either.

And catastrophically bad news is, in my opinion, the view of rowhammer that some of the usual pundits and industry figures have been painting. Many of whom, it must be said, have a vested interest in talking up the rowhammer problem, rather than providing dispassionate factual advice.

So let’s take a look at the facts about rowhammer.

First, it’s real. Rowhammer was actually discovered by researchers from Carnegie Mellon University and Intel Labs, who then speculated that it could be exploited for malign intent.

Second, rowhammer can indeed be exploited for malign intent. That’s what Google contributed to the issue: taking a theoretical vulnerability, and turning it into a very real and concrete vulnerability.

But one of questionable magnitude. That’s because, third, the Google engineers only tested 64-bit x86-based laptops running under Linux, and using DDR3 DRAM. Similar attacks might work on non‑x86 systems and on computers running operating systems other than Linux, but this has not been shown.

Four, tests of newer laptops found that they were not vulnerable to rowhammer attacks – possibly because hardware-level threat mitigation has already been put in place by memory manufacturers and computer designers, tipped off to the problem by the original Carnegie Mellon University and Intel Labs research, which took place three years ago.

And finally, five, no desktop systems were found to be vulnerable.

Rowhammer in context

So let’s use that information to try to put rowhammer in context, based on what we know from the facts above.

Rowhammer doesn’t appear to affect desktop computers. It doesn’t appear to affect newer laptop computers. It hasn’t been shown to affect operating systems other than Linux, running on an x86-based architecture. And it has only been proved to be present on DDR3 memory.

That doesn’t sound quite so catastrophic.

Moreover, for the rowhammer vulnerability to be activated, hackers would first have to get an attack vector onto the laptop in question, having successfully surmounted all the usual IT security management obstacles in their way – anti-virus filters and so on.

All of which starts to make a successful rowhammer attack seem more and more of a remote possibility.

And a remote possibility, what’s more, that might be completely mitigated by simply swapping out laptops’ rowhammer-vulnerable DDR3 memory for some newer, non-vulnerable memory.

Rowhammer: don’t panic

In short, once again, what we see is a lot of unwelcome scaremongering taking place. And in our view, this represents people and businesses that are in a position to know better, simply taking the opportunity thrown up by rowhammer to spread fear.

Yes, rowhammer is a threat. But it’s by no means that threat that is being made out in some quarters.

Our view: don’t panic. Review that threat in the context of an overall risk management framework, and take carefully considered action accordingly.

Which may well be to do nothing, at least until the true impact of rowhammer becomes clearer.

Put another way, the laptop on which these words are written is precisely the same post-rowhammer as it was pre-rowhammer.

  • PLUS
  • Certified Information Systems Security Professional
  • PCi
  • Information Security Management System - ISO Certified
  • Cisco Certified CCIE
  • Centre for Internet Security
  • TOGAF 9
  • HM Government G-Cloud Supplier
  • crest

Get in touch