RAMpage is a recent vulnerability that bypasses all the security measures put in place to secure Android devices against the Rowhammer attack. It can gain root privilege to an Android device and steal any data available on it.
To understand the RAMpage attack better, we need to first understand the dynamic random access memory (DRAM) Rowhammer vulnerability and the Drammer attack.
DRAM Rowhammer vulnerability
The Rowhammer vulnerability first made waves in 2012 and involves a problem with the latest DRAM chips. When a row of memory is rapidly and continuously accessed—or “hammered”—adjacent rows of memory can experience bit flips. For example, cybercriminals can flip bits from 0 to 1 or vice versa, in search of exploiting this vulnerability.
Researchers from Google have demonstrated how effectively this vulnerability can be exploited by introducing the double-sided Rowhammer attack, which doubles the chances for a row to experience bit flips by hammering it from two different directions. Of course, not all Rowhammer attacks are successful; there’s always potential a bit flip will corrupt the data cybercriminals are looking to steal.
Put simply, a Rowhammer attack is a bit flip of a row of memory.
Drammer attack
The Drammer attack was the first official exploitation of the Rowhammer vulnerability in the wild, which was completed using a malicious app that ran on Android devices without any permissions or application vulnerabilities.
The Drammer attack utilizes direct memory access (DMA) which is offered by Android’s memory manager ION. DMA allows direct access to the memory location without accessing the CPU cache, which makes it quick and easy to hammer away at a row of memory. Another advantage for Drammer is the way ION organizes contiguous memory. The kmalloc heap (one of the several kernel heaps) was designed to divide physically-adjacent memory, but this simply showed attackers how the physical and virtual addresses were connected.
Google’s workaround for Drammer
After analyzing Drammer’s capabilities, Google pushed an update for Android that disabled the ION’s function of contiguous memory, which affected exploitation of the Rowhammer vulnerability by Drammer.
Now, what is the RAMpage attack?
After all the mitigations for Rowhammer, security researchers have identified another threat called RAMpage. Below are some scenarios that create the ideal environment for RAMpage to breach a network.
Researchers have stated there are three variants of RAMpage. These vulnerabilities are not easy to exploit, and cybercriminals would need a fair amount of knowledge in order to exploit any one of RAMpage’s three variants, but that doesn’t mean you should let your guard down. There are plenty of cybercriminals with all the know-how they need to get the job done.
How to combat RAMpage
Researchers have come up with a solution called GuardION, which introduces dummy or guard rows to isolate the DMA buffers.
GuardION is a patch for Android operating systems that modifies the ION memory process by introducing empty rows in front of and behind the targeted row, rendering RAMpage’s efforts ineffective.
GuardION comes with a price
Installing GuardION may negatively affect your device’s performance, as introducing blank rows consumes DRAM.
What’s the best advice for mitigating RAMpage?
RAMpage cannot be identified or detected, but avoiding downloading apps from unknown sources can help you stear clear of RAMpage. However, as any system administrator can attest, this is easier said than done. Even after educating users on the dangers of downloading games or anonymous applications, it still happens, which means the risk of RAMpage is always there.
Employing a mobile device management (MDM) solution can help you easily mitigate RAMpage. With Mobile Device Manager Plus, our comprehensive MDM solution, you can blacklist and whitelist apps, so users can only download apps you trust. Rather than deploying the GuardION patch, blacklisting apps can be an effective form of combat against the RAMpage attack.
Download Mobile Device Manager Plus to mitigate RAMpage without slowing down your Android devices.
Note: All Android devices dating back to 2012 can be affected by RAMpage.
