Researchers from the Woster Polytechnic Institute presented a new type of attack called Mayhem, using the method of distorting the bits in the dynamic Rowhammer RAM to change the values of variables in the program used as flags for authentication and safety checks. Practical examples of the attack were demonstrated to bypass authentication in SUDO, OpenSSH, MySQL, and the Opensl library.
The attack is applicable to applications that use comparisons of differences in values from zero during checks. For example:
int Auth = 0;
// Code of verification that changes the value of Auth in case of successful authentication
if (Auth != 0)
return auth_success;
else
return Auth_failure;Within the context of this example, the Mayhem attack allows for the distortion of the bits in the memory associated with the Auth variable in the stack. By distorting any bit in the variable, the value is no longer zero and the conditional operator determines successful authentication. These types of checks are common in applications such as Sudo, Opensh, MySQL, and Opensl.
The attack can also be used to influence the values of variables in processor registers. When switching context, the contents of registers can temporarily reset to the stack, allowing for distortion of their memory. The distorted value will then be restored to the register.
One of the modifications of Rowhammer class attacks is used to distort the bits. The DRAM memory is a two-dimensional array of cells, each consisting of a capacitor and a transistor. Continuous reading of the same area of memory causes voltage fluctuation and abnormalities that result in a slight loss of charge in neighboring cells. If the reading intensity is high, adjacent cells may lose a significant charge volume, and the next regeneration cycle may not have enough time to restore their initial state, thus changing the value of the data stored in the cells. Manufacturers added the TRR (Target Row Refresh) mechanism to protect against Rowhammer, which blocks cell distortion in certain cases but does not protect against all possible attack scenarios.