New RAMpage exploit revives Rowhammer attack to root Android devices

In late 2016, Google’s security team scrambled to fix a critical vulnerability that allowed attackers to gain unfettered root access to Android devices by using a relatively new class of exploit that manipulates data stored in memory chips. Now, 21 months later, many of the same researchers behind the attack, dubbed Drammer, are back to say that a large number of Android phones and tablets remain vulnerable to the rooting attacks because the patches Google deployed weren’t adequate. The original Rowhammer attack against PCs made it possible for an untrusted computer application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources.

A later variation allowed JavaScript hosted on websites to effect the same security-sensitive bitflips. In the months following the Drammer disclosure, Google mitigated the damage that malicious apps could do by making changes to Android’s ION memory manager, which restricted access to physical contiguous kernel memory. In a research paper accompanying Wednesday’s post, the researchers introduced a mitigation they dubbed GuardION, which they describe as a practical and lightweight defense against RAMpage and most other Android-based Rowhammer attacks.

The researchers said Google engineers have yet to implement it because they “concluded that GuardION results in more ‘performance overhead’ on real-world apps than we report in our paper.” The researchers say they’re working with Google to find ways to reduce the performance costs GuardION has on real-world apps.

Source: arstechnica.com