Row hammer (also written as rowhammer) is a security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. The initial research into the row hammer effect, published in June 2014. Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa.
Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. The Rowhammer issue, which has been around for over one decade, exists because cells on DRAM chips are smaller and closer to each other, making it difficult to prevent electrical interaction between them. Thus, by repeatedly accessing data in a row of memory, data in nearby rows may become corrupted.
Different methods have been developed for more or less successful detection, prevention, correction or mitigation of the row hammer effect. And more attacks as well. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). ECC cannot provide complete protection against Rowhammer but makes exploitation harder.
In 2016 it was shown that Rowhammer bitflips can be used to root Android phones.
RAMBleed published on 2019 is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous.
Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.
Now there are new findings. The new attack is called Blacksmith. Researchers say they used a new Rowhammer exploit to successfully flip bits on all 40 PC-DDR4 DRAM devices they tested, defeating recent hardware mitigations. Researchers build “fuzzer” that supercharges potentially serious bitflipping exploits: Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks. The researchers conducted experiments on 40 DDR4 DIMMs (from Samsung, Micron, and SK Hynix) to explore the possibility of bypassing mitigations through “accessing aggressor rows in non-uniform access patterns.” They did not find any DIMMs that are completely safe. Some DIMMs are more vulnerable to this new Rowhammer patterns than others.
Blacksmith Rowhammer Fuzzer Bypasses Existing Protections. Blacksmith attack demonstrates that DDR4 memory protections are broken wide open by new Rowhammer technique. The researchers used non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers. The non-uniform patterns work against Target Row Refresh (TRR), a technique used to mitigation of earlier Row Hammer type attacks (generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse). It is still possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. So the memory chips were not as resistant to Row Hammer type attacks that many people thought they were. This puts further pressure on chipmakers to try to mitigate the attacks.
Blacksmith Demo – showing how easy and quick it is to find bit flips on TRR-enabled DDR4 devices
Researchers evaluated the exploitability of these bit flips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges.
For more details read the research paper BLACKSMITH: Scalable Rowhammering in the Frequency Domain.
DDR4 memory protections are broken wide open by new Rowhammer technique
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
Blacksmith: Rowhammer Fuzzer Bypasses Existing Protections