Skip to main content

Rowhammer Attacks Pushed Through Despite Security Mitigations

(Image credit: Gricenko Dmitry/Shutterstock)

Researchers from ETH Zurich and Vrije University revealed yesterday that DDR4 and LPDDR4 memory is still vulnerable to Rowhammer attacks despite the Target Row Refresh (TRR) mitigations that were implemented to defend against them.

Rowhammer attacks, which were discovered in 2014, repeatedly access a single row of memory cells to cause bit flips in adjacent rows. Attackers could theoretically use Rowhammer to corrupt, alter or steal data from memory via these bit flips.

  • Best RAM: Desktop DDR4 memory for gaming and productivity

The memory industry responded by adopting TRR mitigations in DDR4 memory. But the researchers discovered that it's possible to work around those mitigations in some memory products using a fuzzing tool they developed called TRRespass.

TRRespass "repeatedly selects random different rows at various locations in DRAM for hammering," the researchers said, to determine if any of them are vulnerable to Rowhammer attacks. From there, it's simply a matter of conducting the attack.

The researchers said they used TRRespass to test "the three major memory vendors (compromising more than 99% of the market) using 42 DIMMs." The utility found bit flips--which indicate vulnerability to Rowhammer attacks--on 12 of the DIMMs.

That implies 30 were okay, but the team said "this does not mean that they are safe," because "finding the right hammering pattern could be just a matter of time for our fuzzer or we may need additional parameters to improve the fuzzing strategy."

Unfortunately, these vulnerabilities exist on the hardware level; they can't simply be patched like a security flaw in software. 

More information is available via the researchers' paper (PDF) as well as the GitHub repository for TRRespass.

  • digitalgriffin
    Fascinating.

    Memory needs to be constantly refreshed to keep it's contents. That's why you lose contents when powers off. However writing new values causes a temporary surge in power to change the bits. This leads to a small EMF (Magnetic field) surge as well. When you hit the same row line over and over again this causes the field to build, till the magnetic field spills over in the adjacent row. This causes the bits to flip. That's how row hammer works. It affected DDR3.

    That said, it WAS to be mitigated by restricting how fast the same row could be written too. If they found they could still flip bits, I would be betting it would be on faster memory that runs on a higher voltages. (1.35V)
    Reply
  • Rob1C
    There's some more information here: https://nvd.nist.gov/vuln/detail/CVE-2020-10255 and AMD has commented on some mitigations for this newest RowHammer https://www.amd.com/en/corporate/product-security - on Epyc (with memory encryption) a DOS is likely the worst that can happen.
    Reply