Memory deduplication issues exploited together with Rowhammer attacks to give attackers access to the local system

May 27, 2016 13:44 GMT  ·  By

Four researchers from the Vrije University in the Netherlands have put together a successful attack on Windows 10 that uses a combination of a Rowhammer attack and a newly discovered memory deduplication vector that can give attackers control of the OS, even if the browser and the OS are up to date and running various security hardening mitigations.

Their research centers around the memory deduplication process, a method through which some operating systems free memory by finding duplicate entries.

Attacks on memory deduplication existed from prior studies by other researchers, who devised side-channel attacks that can leak information about the contents of the OS memory.

Edge exploit is actually a combination of older attacks

The Dutch researchers combined one of these previous memory deduplication side-channel attacks with Rowhammer, a vulnerability in DDR3 and DDR4 memory cards, found at the electrical and hardware level.

Researchers discovered that, by blasting read-write operations to a row of memory bits, they could alter its electrical field and then modify nearby bits and its data. Later, researchers managed to weaponize Rowhammer attacks using JavaScript and deliver attacks via Internet pages.

The four Dutch researchers took one of these Web exploits and combined it with an older memory deduplication side-channel attack to gain read-write access to the browser's memory.

Attack bypasses Edge's security measures

The researchers also put together their own implementation of memory deduplication-based primitives in JavaScript that allowed them to escape Edge's sandbox, a secure environment in which the browser operates.

In a proof-of-concept demo, the researchers launched their attack against an Edge browser accessing a Web page, which sent malicious code to the browser. The exploit helped attackers gain control of parts of the browser's memory, escaped the Edge sandbox, and jumped to an adjacent Nginx process to leak HTTP password hashes.

During their tests, the researchers used a version of Edge "entirely free of bugs with all its defenses [...] turned on," so the attack works even if the user is very careful about their PC's security.

Some mitigations for this attack exist, and the researchers included them in their paper called Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector, set to be presented on May 25 at the 37th IEEE Symposium on Security and Privacy held in San Jose, USA.