The RAMBleed Exploit

Malware are now terribly more advanced as they start taking data from the computer hardware itself and not by intercepting and eavesdropping on data from software. We had Meltdown, Spectre, Rowhammer and now RAMBleed. RAMBleed (CVE-2019-0174) takes a page from the Rowhammer DRAM side-channel attack at how it takes data straight from Dynamic RAM(DRAM) memory.

How does RAMBleed do it? RAMBleed is based on an old 2012 DRAM issue that affects the last few generations of DRAM chips. Newer DRAM chips are so miniaturized that memory cells are so close to each other resulting in minute electrical interactions that occur between adjacent cells.

By hammering (rapidly accessing) rows of memory cells, the values of adjacent rows flip from 0 to 1 and vice-versa. This bit-flip method allows attackers to manipulate RAM values and access or gain privileges on the host computer. RAMBleed uses the same technique to simply read data from protected memory.

RAMBleed allows hackers to eavesdrop on data in real-time as the computer is running. Unlike Rowhammer, RAMBleed cannot be stopped by the solutions devised against the former such as Error code correction (ECC). The only solutions for now are for users to upgrade their systems to be able to use DDR4 and enable targeted row refresh (TRR) as well as securing their systems from attack.

Fortunately, RAMBleed has yet to be spotted in the wild. It is so far, a proof of concept by a team of researchers from several universities. And now that they’ve published it, have given enterprising hackers something to build on.

Awareness works both ways of course, and now manufacturers are made aware to rigorously test their DIMMs and design ones with better TRR implementation.

Major hardware providers such as Oracle have already made their customers aware of RAMBleed and advised them to enable TRR if they haven’t already.