Dynamic random flip memory

Row hammer (also written as rowhammer) is a security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. The initial research into the row hammer effect, published in June 2014. Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa.

Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. The Rowhammer issue, which has been around for over one decade, exists because cells on DRAM chips are smaller and closer to each other, making it difficult to prevent electrical interaction between them. Thus, by repeatedly accessing data in a row of memory, data in nearby rows may become corrupted.
Different methods have been developed for more or less successful detection, prevention, correction or mitigation of the row hammer effect. And more attacks as well. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). ECC cannot provide complete protection against Rowhammer but makes exploitation harder.

In 2016 it was shown that Rowhammer bitflips can be used to root Android phones.

RAMBleed published on 2019 is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous.

Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.

Now there are new findings. The new attack is called Blacksmith. Researchers say they used a new Rowhammer exploit to successfully flip bits on all 40 PC-DDR4 DRAM devices they tested, defeating recent hardware mitigations. Researchers build “fuzzer” that supercharges potentially serious bitflipping exploits: Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks. The researchers conducted experiments on 40 DDR4 DIMMs (from Samsung, Micron, and SK Hynix) to explore the possibility of bypassing mitigations through “accessing aggressor rows in non-uniform access patterns.” They did not find any DIMMs that are completely safe. Some DIMMs are more vulnerable to this new Rowhammer patterns than others.

Blacksmith Rowhammer Fuzzer Bypasses Existing Protections. Blacksmith attack demonstrates that DDR4 memory protections are broken wide open by new Rowhammer technique. The researchers used non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers. The non-uniform patterns work against Target Row Refresh (TRR), a technique used to mitigation of earlier Row Hammer type attacks (generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse). It is still possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. So the memory chips were not as resistant to Row Hammer type attacks that many people thought they were. This puts further pressure on chipmakers to try to mitigate the attacks.

Blacksmith Demo – showing how easy and quick it is to find bit flips on TRR-enabled DDR4 devices

This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network.

Researchers evaluated the exploitability of these bit flips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges.

For more details read the research paper BLACKSMITH: Scalable Rowhammering in the Frequency Domain.

Sources:
DDR4 memory protections are broken wide open by new Rowhammer technique
Blacksmith
BLACKSMITH: Scalable Rowhammering in the Frequency Domain
Blacksmith: Rowhammer Fuzzer Bypasses Existing Protections

4 Comments

  1. jigsaw puzzle says:

    Many researchers have demonstrated that repeatedly accessing specific storage locations in memory can cause bit flips – that is, bits in adjacent rows are changed from 0 to 1 and vice versa
    https://jigsawpuzzle.io

    Reply
  2. Tomi Engdahl says:

    BLACKSMITH: Scalable Rowhammering in the Frequency Domain
    https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf
    Blacksmith Rowhammer Fuzzer
    https://github.com/comsec-group/blacksmith
    This repository provides the code accompanying the paper Blacksmith: Scalable Rowhammering in the Frequency Domain that is to appear in the IEEE conference Security & Privacy (S&P) 2022.
    This is the implementation of our Blacksmith Rowhammer fuzzer. This fuzzer crafts novel non-uniform Rowhammer access patterns based on the concepts of frequency, phase, and amplitude. Our evaluation on 40 DIMMs showed that it is able to bypass recent Target Row Refresh (TRR) in-DRAM mitigations effectively and as such can could trigger bit flips on all 40 tested DIMMs.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*