RAMpage: ARM-based DRAM Attack

A new attack targeting modern Android-based devices has been detailed in a research paper. Known as RAMpage, the authors of the paper claim it can be used to gain unauthorised access to a targeted device.

Threat ID:: CC-2523
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 3 July 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Android

Google Android - All versions from 4.0 onwards
Potentially any device using ARM-based CPUs and LPDDR2, LPDDR3 or LPDDR4 DRAM

Threat details

RAMpage is a direct memory access (DMA) variant of the Rowhammer dynamic random access memory (DRAM) attack that targets the Android ION memory allocator. ION is used to allow user applications to access both contiguous (kmalloc heap) and non-contiguous (system heap) physical memory depending on the application's requirements.

Google have previously disabled the kmalloc heap memory access on most devices to prevent attacks using the Drammer Rowhammer variant. RAMpage instead targets the system heap, performing double-sided Rowhammer attacks to locate and exploit vulnerable physical bits or Feng Shui to force the operating system kernel to expose vulnerable page tables. The attacks can result in an attacker gaining full control of the affected device.

For further information:

GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM research paper (van der Veen et al. 2018)
RAMpage and GuardION website
GUARDION Github page
Drammer Github page
CVE-2018-9442

Remediation steps

Type	Step
	Google have confirmed an update is in production that will protect affected devices against RAMpage-based attacks. Users are advised to apply this patch as soon as it becomes available. Additionally, the researchers have detailed a subsystem for the ION allocator called GuardION that they claim will protect against RAMpage attacks on affected devices. They are petitioning Google to implement this in their update however they have supplied their own proof-of-concepts patches. Please note that these have not been tested or certified by NHS Digital and users apply them at their own risk.

Type

Step

Google have confirmed an update is in production that will protect affected devices against RAMpage-based attacks. Users are advised to apply this patch as soon as it becomes available.
Additionally, the researchers have detailed a subsystem for the ION allocator called GuardION that they claim will protect against RAMpage attacks on affected devices. They are petitioning Google to implement this in their update however they have supplied their own proof-of-concepts patches. Please note that these have not been tested or certified by NHS Digital and users apply them at their own risk.

CVE Vulnerabilities

CVE-2018-9442

Last edited: 11 January 2022 3:40 pm