Researchers from Google’s Project Zero have released information about a new attack based on flipping bits in DDR3 memory. The attack uses approach called Rowhammer which was devised last year by a team from Carnegie Mellon University and Intel Labs. It is based on repeated writing to and reading from a part of memory in a very short time which causes flipping values of bits in adjacent memory (the flipping is made possible by interaction between adjacent memory cells caused by their close proximity).
Using the described principle, researchers from Project Zero created two exploits which they used to successfully elevate user privileges on a x86-64 Linux system where they achieved unrestricted access to the entire physical memory by flipping bits in page table entries (PTEs). In their announcement, they reported that the described approach was successfully used on machines with DDR3 memory without ECC (error correcting code). Flipping of bits has not been seen on machines with ECC memories. Source codes for the test program used to determine if a machine is vulnerable to Rowhammering have been released by the authors and may be found here.