A seven-year-old flaw in DRAM chips is making another comeback. Google revealed this week that it's discovered a new technique, Half-Double, that can be used to exploit the Rowhammer bug thought to have been fixed with the release of DDR4.
Rowhammer was discovered in 2014 when researchers showed that it was possible to manipulate data stored in DDR3 memory by repeatedly accessing ("hammering") a single row of memory cells to cause bit flips in adjacent rows.
Manufacturers responded with Target Row Refresh (TRR) mitigations, but in March 2020, researchers showed that it was possible to bypass those protections in a paper titled "TRRespass: Exploiting the Many Sides of Target Row Refresh."
But TRRespass still operated under the assumption that Rowhammer attacks were only capable of affecting rows of memory adjacent to the row being hammered. Google said that doesn't seem to be the case, which is where Half-Double comes in.
"Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate," Google said. "This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable."
Google said it's been working with JEDEC, a trade group devoted to open standards for the semiconductor industry that counts more than 300 companies among its members, and "other industry partners" to work on solutions to Rowhammer.
"We are disclosing this work because we believe that it significantly advances the understanding of the Rowhammer phenomenon, and that it will help both researchers and industry partners to work together, to develop lasting solutions," Google said. "The challenge is substantial and the ramifications are industry-wide. We encourage all stakeholders (server, client, mobile, automotive, IoT) to join the effort to develop a practical and effective solution that benefits all of our users."