We have consistently seen various vectors of attack rear their head when it comes to Android smartphones. We’ve seen Shattered Trust, Cloak and Dagger, and Rowhammer, just to name a few. RAMpage is the latest one on the block, and while it is a hardware vulnerability, it doesn’t necessarily need physical access to your device to exploit. How it works is relatively simple.
When a CPU reads or writes a row of bits in the RAM module present on the device, the neighboring rows are slightly affected due to a tiny electric discharge. This isn’t usually a problem as we know RAM does this and that’s why it’s periodically refreshed to make sure nothing goes wrong. But what if we start “hammering” the same “row”? What if we continuously read or write to the same row in order to disrupt neighboring rows? This can cause a bit-flip in a memory row that we shouldn’t own or have access to at all. That’s what Rowhammer is, and it’s being used as part of a larger vulnerability called RAMpage. The CVE is CVE-2018-9442 and it affects devices shipped with LPDDR2, LPDDR3, or LPDDR4 RAM. We’ve already covered Rowhammer in greater depth
here.
The Team Behind RAMpage
Vrije Universiteit Amsterdam
TU Wien
EURECOM
*Harikrishnan Padmanabha Pillai, MSc.
IBM
UC Santa Barbara
UC Santa Barbara
Vrije Universiteit Amsterdam
Vrije Universiteit Amsterdam
What is RAMpage?
RAMpage isn’t exactly new, so to say. RAMpage is a hardware vulnerability which implements Rowhammer and other, smaller exploits. RAMpage can be used to gain root access on a device, but the researchers managed to get it to do a whole lot more as well. It could be used to bypass JavaScript sandboxes and even perform an attack running on another virtual machine on the same computer on x86 devices. ARM-based devices are also vulnerable, and that’s where our Android phones come in. DRAMMER stands for “Deterministic Rowhammer Attacks on Mobile Devices,” and it was able to be used against a number of Android phones in the past to gain root access.
How does RAMpage work?
RAMpage works primarily by abusing Android’s memory management system – the Android ION memory allocator. ION was introduced with Android 4.0 back at the end of 2011 and simply gives applications the memory they require to run. However, breaking this down means that you can access all memory on the device from within any application – an extremely dangerous situation. What was once protected memory no longer is once ION is broken down, and any malicious applications looking for data leakage could sift through this memory. While it’s hard to protect against DRAMMER (and, incidentally, Rowhammer) because it’s a hardware vulnerability, building safeguards around Android ION will mitigate most of the damage that can be done. The researchers call it GuardION and have released it open-source on GitHub.
What is GuardION?
GuardION is the proposed mitigation method put forward by those who discovered RAMpage. It simply sets up buffer rows around potentially exploitable software in RAM, such as Android ION. It’s a simple method, but it’s better for a few reasons. The first being that you obviously can’t replace the RAM module in every Android device released. The second is that, even in newer devices, hardware fixes will be harder on the battery as they will constantly have to refresh the memory. Hence protecting memory with software is easier. The researchers showed that GuardION has negligible memory overhead, better performance than Google’s attempts at preventing the exploit and prevents all known DMA (Direct Memory Access) attacks. However, while the researchers are in contact with Google, the company has determined that GuardION presents too large of a performance overhead for it to be incorporated into AOSP. GuardION doesn’t fix the hardware vulnerability, instead, it simply accounts for it and reduces the amount of damage it can do.
Am I vulnerable to RAMpage?
While chances are if you own an Android phone released since 2012 you are vulnerable, you can still install the DRAMMER test application from their official website below to see for yourself. While all of this seems scary, there is no public exploit available yet. While you should still be careful out there, there is currently no reason to worry as the exploit is not in the public domain. The researchers do not intend to release it at this point in time either. You can check out the original research paper below.