
RAMBleed Attack – Reading Bits in Memory Without Accessing Them - ga-vu
https://rambleed.com/
======
rsweeney21
Shortly after I joined Microsoft in 2004, all new feature work on Windows
Longhorn (Vista) was halted. There had been yet another high profile computer
virus on Windows XP caused by a buffer overflow. It was an all-hands-on-deck
type moment. Everyone spent weeks adding SAL (source-code annotation language)
annotations to the entire Windows code base. SAL annotations enabled automated
source code analysis to identify potential buffer overflow bugs and other
common security vulnerabilities. Once annotated, we identified and fixed who
knows how many hundreds of security vulnerabilities in Windows.

This colossal security update was released as Windows XP Service Pack 2. This
is the beauty of software.

Hardware vulnerabilities scare me. There are millions of Intel CPUs and DRAM
modules installed in data centers and PCs around the world. When we find
vulnerabilities in _hardware_ how are we supposed to fix them?

The past few years have been really scary for me as a software engineer. I
keep thinking that the next one will pop the software bubble.

~~~
mehrdadn
> SAL annotations

Are there tools for developers to use these (e.g. with VC++), or are they all
Microsoft internal?

~~~
ryacko
I have read about this: [https://github.com/google/styleguide/tree/gh-
pages/cpplint](https://github.com/google/styleguide/tree/gh-pages/cpplint)

There is also this: [https://github.com/mre/awesome-static-
analysis](https://github.com/mre/awesome-static-analysis)

~~~
mehrdadn
I was specifically asking about SAL.

~~~
ryacko
There is also this: [https://docs.microsoft.com/en-us/visualstudio/code-
quality/u...](https://docs.microsoft.com/en-us/visualstudio/code-
quality/using-sal-annotations-to-reduce-c-cpp-code-defects?view=vs-2019)

~~~
mehrdadn
I think they talk about the annotation but not the analysis tools?

~~~
hoseja
[https://docs.microsoft.com/en-us/visualstudio/code-
quality/c...](https://docs.microsoft.com/en-us/visualstudio/code-quality/code-
analysis-for-c-cpp-overview)

It's part of VC++.

But I do not recommend using SAL for modern code.

~~~
mehrdadn
Oh wow. I'd used /analyze before but I hadn't realized it takes SAL into
account. I thought it just does limited extra analysis without SAL. Thank you!

------
musicale
Whenever you have sharing, you usually have side channels. We're going to see
more and more of this until we have much better hardware isolation.

This is a kind of obvious variant of Rowhammer, which hasn't generally been
fixed AFAIK.

Hardware in the late 2010s seems a bit like Windows in the late 1990s - a
house of cards waiting to collapse, but the dominant vendors know that very
few customers are willing to pay more for security and reliability vs.
performance/features/new and shiny.

(So if we're lucky then we'll end up with a "more secure" version of hardware
that is analogous to... Windows Vista.)

~~~
colechristensen
Real-world side channels are going to start getting more attention as the
technology and techniques for extracting information from EM radiation from
circuits (not radios) leaking state improve.

~~~
dahfizz
Is that possible without special hardware to detect EM radiation?

~~~
Dylan16807
You usually need an antenna, yes. Does that matter?

~~~
chii
it matters because if the hardware is difficult and expensive to obtain, an
attack can be costly, and hence, won't affect the common man. Industrial
espionage or state level espionage hardly changes for the common man, and
since most of the hardware in use is by the common man, it's unlikely to get a
real fix.

~~~
ac29
Effective antennas are reasonably easy to build from scratch (depending on the
frequency band), and are commercially available in an insane number of
variations. Either way is very cheap - as little as a few dollars.

Software defined radios can be had for as little as $10-20 for simple receive
only types, up to several hundred for substantially nicer transceivers. They
can also be $1000+ for special applications or R&D.

------
nine_k
From the speed figures (many hours of setup and runtime, very low read rate) I
can suggest that restarting your important service often, and moving it
between VMs, would prevent an attack like that.

In many deployments, automatic scaling and failover already provide the
necessary mechanics. Then the Chaos Monkey suddenly becomes a security
enforcement tool :)

~~~
taneq
> From the speed figures ...

You know what software's like, though. What today takes the blood of a virgin
and a dozen dribbly candles will be doable next week with a toothpick and
three cc's of mouse blood.

~~~
mayankkaizen
That was ..... interesting quote.

------
woliveirajr
If I understood correctly, this is orders of magnitude worst that RowHammer,
as it is kind of passive: you set some program to do the RowHammer side,
within its own memory space, and then use RAMBleed to see changes from memory
cells, not exactly the ones that were RowHammered. Is that it ?

~~~
deckar01
> a bit is more likely to flip when the bits above and below it have the
> opposite charge. ... To exploit this effect, we developed novel memory
> massaging techniques to carefully place the victim's secret data in the rows
> above and below the attacker's memory row.

The secret data has to be duplicated, column aligned, and have a single
unallocated row between it. Controlling the alignment of the secret data seems
like a major complication for realistic exploitation.

Edit: The strategy in the paper requires allocating a bunch of physical memory
from all the small blocks so that memory allocation requests from a new
process are allocated deterministically to a desired physical row.

~~~
CodeMage
_> Edit: The strategy in the paper requires allocating a bunch of physical
memory from all the small blocks so that memory allocation requests from a new
process are allocated deterministically to a desired physical row._

Honest question, because I'm not a security expert: can you do this without
having already pwned your target to such a degree that this would be
unnecessary?

~~~
jerf
Probably not.

However, historically, these sorts of attacks always get better, not worse.

And while even that can sometimes be empty rhetoric, I will say in the last 5
years I'm seeing a lot of security attacks that are _already_ well beyond what
even my moderately-trained intuition would suggest are possible, so I have to
admit I've sort of given up on trying to guess on whether or not an attack can
be made practical. I've seen too many mind-blowing presentations from security
researchers to think I can bound their abilities safely. I wouldn't care to
bet that they won't move the attacks I already am flabbergasted can exist to
some other even-more practical attack that I am flabbergasted can exist.

This is unrelated to the current matter, but let me give you an example:
[https://www.youtube.com/watch?v=_eSAF_qT_FY](https://www.youtube.com/watch?v=_eSAF_qT_FY)
If you think that's trivially obvious, and you're confident you can predict
how these sorts of things will play out in the future, more power to you, but
I'm certainly not justified in that belief at my skill level. I'm just happy I
can _follow_ that presentation!

~~~
cwkoss
Yeah, it seems that whenever an exploit "doesn't seem practical for actual
use" it is just one more exploit-in-the-chain away from being operationalized.

So many systems have unspecified, undocumented and undertested behaviors that
have not been exploited only because no one has ever tried.

~~~
biztos
Presumably there would be value in releasing the "impractical for actual use"
version to the public after you have already operationalized and not before.

------
RcouF1uZ4gsC
These recent CPU and Memory vulnerabilities are calling into question the
economics of the public cloud. A lot of these bugs only really matter if you
have multiple programs from different entities running on the same computer
system. A company that has its own private cloud, doesn't have to care about
these attacks so much.

The cost of mitigating these attacks both in terms of CPU performance and
increased hardware costs may offset some of the economies of scale.

------
tgsovlerkhgsel
Since the mention of OpenSSH can cause readers to jump to false conclusions:
This attack still requires that the attacker's code runs on the victim
machine; it is not a remote vulnerability.

(I don't think the authors implied otherwise, I just know that I somehow got
confused for a second.)

------
Rapzid
Can we talk about these attack names? Everything bleeds these days. "RAMSack"
is a legit missed opportunity.

~~~
orhmeh09
“Bleed” has a functional purpose; it communicates that it is a side-channel
leaking information.

~~~
scandinavian
"Bleed" is normally just used for communicating that the exploit leaks data.
See Optionsbleed, Heartbleed and Ticketbleed which are not side-channel
attacks afaik.

------
0815test
Perhaps I'm missing something really obvious, but doesn't hardware-provided
memory encryption solve this quite handily? You might be able to read single
bits of raw physical memory from another process, but this won't tell you
anything substantial about what that process is up to.

~~~
kardos
The mitigations section of the paper discusses memory encryption

------
dredmorbius
For those who find that sort of thing interesting, the domain was registered
109 days ago, February 23, 2019.

[https://whois.domaintools.com/rambleed.com](https://whois.domaintools.com/rambleed.com)

------
heybrendan
Anyone else love how vulnerabilities these days have full on marketing-esque
campaigns backing them? In any case, if it increases awareness, I'm mostly
supportive.

Allow me to save some time, from TFA:

> Is there a CVE number?

> Yes, see CVE-2019-0174 [1].

[1] [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2019-0174](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2019-0174)

\---

> What is RAMBleed?

> Previous attacks exploited the Rowhammer effect to write (or flip) bits in
> the victim's memory. RAMBleed is different in that it uses Rowhammer for
> reading data stored inside the computer's physical memory. As the physical
> memory is shared among all process in the system, this puts all processes at
> risk.

> What data can be read by RAMBleed?

> While the end-to-end attack we demonstrated read out OpenSSH 7.9's RSA key,
> RAMBleed can potentially read any data stored in memory. In practice, what
> can be read depends on the victim program's memory access patterns.

> What technologies are affected by RAMBleed?

> RAMBleed relies on Rowhammer-induced bit flips to read privileged memory. As
> such, any system that uses Rowhammer-susceptible DIMMs is vulnerable.
> Previous research has demonstrated bit flips on both DDR3 and DDR4 with TRR
> (targeted row refresh) enabled. While we demonstrated our attack on a
> desktop machine and an ECC enabled server machine, Rowhammer attacks have
> been demonstrated against both mobile devices and laptops. As such, we
> suspect that many classes of computers are susceptible to RAMBleed.

> How can I mitigate this issue?

> Users can mitigate their risk by upgrading their memory to DDR4 with
> targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have
> been demonstrated on TRR, it is harder to accomplish in practice.

> Memory manufacturers can help mitigate this issue by more rigorously testing
> for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR
> implementations will facilitate a stronger development process as security
> researchers probe such implementations for weaknesses.

~~~
joshdance
Relevant @patio11 article

[https://www.kalzumeus.com/2014/04/09/what-heartbleed-can-
tea...](https://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-
oss-community-about-marketing/)

I think the marketing campaigns are awesome. Makes it much easier to get
resources to fix.

~~~
2bitencryption
Wow, that's a really excellent read. Thanks.

------
polskibus
Does this affect public cloud providers? Can it be used to obtain data from
other VMs running on the same host?

~~~
the8472
If this attack is a concern then so is rowhammer. So you can basically ask
whether cloud providers have mitigated rowhammer.

AMD's SEV might help protecting VMs from each other.

~~~
expliced
_> unlike Rowhammer, RAMBleed does not require persistent bit flips, and is
thus effective against ECC memory commonly used by server computers._

Seems like mitigations for Rowhammer is not enough for RAMBleed.

~~~
syn0byte
ECC isn't effective mitigation against Rowhammer either.

[https://www.vusec.net/projects/eccploit/](https://www.vusec.net/projects/eccploit/)

tl;dr ECC logic can't cope with 'single' errors involving > 2 bits.

~~~
Dylan16807
It has to cause a huge amount of single-bit errors to find a spot suitable for
a three-bit error.

If these errors are actually treated as errors, then chips will be disabled or
processes will get blacklisted _long_ before they can be used to exploit.

So this is really "ECC is often configured wrong", not "ECC isn't effective".

------
air7
This is a tangent, but I find it (somewhat) annoying when f.a.q's don't answer
their own questions. I see this happen occasionally and I always wonder if
it's intentional to side-step an issue by raising it yourself, and then
answering something else.

> Can RAMBleed be detected by antivirus? > We believe that it is very unlikely
> that any antivirus software on the market currently detects RAMBleed.

~~~
tedunangst
What should they say? It's theoretically possible for any AV to detect the bug
(how else did they prove it exists?) but a simple "Yes" hardly conveys
accurate information.

------
pkaye
> Users can mitigate their risk by upgrading their memory to DDR4 with
> targeted row refresh (TRR) enabled.

How does one enable this feature? Is it in the BIOS?

~~~
cbg0
I'm not sure if it is an option you can enable/disable in BIOS, but if your
CPU and memory have support for pTRR/TRR it should be enabled.

Ivy Bridge and newer processors should support pTRR and possibly even TRR.

~~~
mfatica
Do AMD processors support it?

------
horyzen
I find it very amusing that they use the name "Feng Shui" for placing the
victim page.

For those who don't understand:
[https://en.wikipedia.org/wiki/Feng_shui](https://en.wikipedia.org/wiki/Feng_shui)

~~~
tptacek
It's also an idiom Alex Sotirov coined 10 years ago:

[https://en.wikipedia.org/wiki/Heap_feng_shui](https://en.wikipedia.org/wiki/Heap_feng_shui)

~~~
xamuel
Imagine if human beings could be vulnerable to such attacks. Someone sends you
a video link, you watch it, you see weird shapes appearing and disappearing
for a few minutes, then the next thing you know, you wake up in a bathtub full
of ice-cubes with one of your kidneys stolen.

~~~
arpa
Sounds like you'd enjoy
[https://en.m.wikipedia.org/wiki/BLIT_(short_story)](https://en.m.wikipedia.org/wiki/BLIT_\(short_story\))

~~~
viraptor
Also Snowcrash
[https://en.wikipedia.org/wiki/Snow_Crash](https://en.wikipedia.org/wiki/Snow_Crash)

~~~
aaaaaar
Another fun one is the Lexicon by Max Barry, except it exploits the auditory
language processing.

[https://www.goodreads.com/book/show/16158596-lexicon](https://www.goodreads.com/book/show/16158596-lexicon)

~~~
arpa
If you're into movies with zombies, pontypool is a fun watch:
[https://en.m.wikipedia.org/wiki/Pontypool_(film)](https://en.m.wikipedia.org/wiki/Pontypool_\(film\))

------
javert
I want to find a way to run each application I use on its own machine so that
memory attacks (like spectre/meltdown, etc.) are theoretically impossible.

I still want to have a reasonable computing experience (e.g. copy + paste
works and the experience is kind of like using one computer the normal way).

Any ideas? I was thinking some kind of remote desktop setup with a bunch of
cheap boxes, each running Linux, on a LAN.

~~~
blablabla123
Plan 9 is really radical about this, but I'm not sure how secure that would be
in practice:
[http://doc.cat-v.org/plan_9/4th_edition/papers/net/](http://doc.cat-v.org/plan_9/4th_edition/papers/net/)

But the computing experience is quite unreasonable - with copy&paste working
though ;)

~~~
javert
Plan 9 is so cool.

I'm going to guess that it's not actually a practical solution to this problem
right now.

------
akersten
I am so torn about the whole vulnerability branding thing. On the one hand, it
gives a great amount of visibility and motivation for brass to actually
provide for getting prod patched when IT might not have had the political
capital to do so otherwise. But on the other hand, I think about things like:

\-- What happens when the cure is worse than the disease (some variants of
Spectre), and we "have to" patch because otherwise we're "not secure against
this scary sounding thing." It takes a lot of agency away from the IT
department to make an informed decision about the appropriate mitigation and
threat model, and turns it into a business requirement regardless of the
trade-off - because brass "understands" _Spectre_ , they don't understand
CVE-1234

\-- Or, theoretical exploits that aren't practical in the real world, but we
spend a lot of effort or make tradeoffs to fix just because someone needs some
material for their PhD.

\-- What do you call it when we find another way to read RAM next year -
RAMBleed2? I guess.

~~~
segfaultbuserr
> \-- What do you call it when we find another way to read RAM next year -
> RAMBleed2? I guess.

or RAMBleed-NG, probably.

~~~
mfatica
RAMBleed++

~~~
radicaldreamer
RamBleed MAX9

------
dmitrygr
Very cool and scary, but in reality actually exploiting this without a
cooperative target, and a relatively quiet machine is _quite_ unlikely. Does
not mean it shouldn't be looked at, but do not lose sleep over it.

~~~
vardump
> actually exploiting this without a cooperative target, and a relatively
> quiet machine is quite unlikely.

... until someone does it somewhat reliably. I always assume my knowledge and
imagination does not come close the collective creativity of exploiters.

~~~
thr0w__4w4y
Yes, this. Also, there is a saying in the security world, "Attacks only get
better over time."

I consult on embedded systems, and at least one medical device I work on is
directly concerned with this issue. Embedded systems (cars, elevators, medical
devices) consider a different threat model than, say, a server sitting in a
data center. These poor devices often sit vulnerable, physically unprotected,
and often they can be acquired on Ebay, etc. and "tortured in a garage" for
months on end.

Scary stuff. Good for me and my business, bad for all of us though.

------
tathougies
Why does every new attack have a homepage these days?

~~~
tareqak
I forget if heartbleed was the first one to a have a homepage or the first one
to have a catchy name, but it was to help with the public relations angle of
convincing CIOs or their equivalents in an organization to take the problem
seriously AFAIK. Someone else here can probably answer it better.

~~~
2bitencryption
On this subject, I'd love to see a full history of the "branded vulnerability"
thing.

~~~
tareqak
Here is a link up thread with 'patio11's take on it:
[https://news.ycombinator.com/item?id=20158079](https://news.ycombinator.com/item?id=20158079)
.

------
anon_cow1111
Well, this sounds really bad. Though on a positive note, I guess we could try
a similar exploit in meatspace to figure out if we're living in a simulation
or something.

/sarc but also maybe not

~~~
manifestsilence
That's actually a pretty cool thought. I've always scoffed at philosophies
along the lines of, "what if it's all a dream/simulation" because if it's
perfect, and you only escape it through death, what's the point of holding
that view? But if there's a chink in the armor, it becomes suddenly very
interesting. Not that I think that's likely to pan out since it so badly
violates Occam's Razor, but it's an interesting possibility.

~~~
brianberns
It might not be as unlikely as you think:
[https://www.newyorker.com/books/joshua-rothman/what-are-
the-...](https://www.newyorker.com/books/joshua-rothman/what-are-the-odds-we-
are-living-in-a-computer-simulation)

~~~
ken
These arguments seem entirely unconvincing to me, in the same way that the
Fermi Paradox is. Let's take some small numbers (which we got mostly by
guesses, not experimentation), multiply them together, and then be shocked at
what a tiny number it is.

