DDR4 memory is even more susceptible to Rowhammer attacks than anyone thoughtvar abtest_1812861 = new ABTest(1812861, ‘click’);

DMCA / Correction Notice
- Advertisement -

Getty Images

- Advertisement -

Rohamer exploits that allow vulnerable attackers to alter or corrupt data stored in vulnerable memory chips are now possible on nearly all DDR4 modules due to a new approach that neuters defense chip makers to protect their wares from such attacks. added to make it more resistant to

Rowhammer attacks work by reaching or hammering physical rows inside vulnerable chips millions of times per second, causing bits in neighboring rows to flip, meaning 1s 0s and vice versa. Researchers have shown that attacks can be used to grant virtually unfettered system privileges to untrusted applications, bypass security sandboxes designed to prevent malicious code from accessing sensitive operating system resources, and others. Android devices can be rooted or infected with things.

All previous Rowhammer attacks have marked rows with similar patterns, such as one-sided, double-sided, or n-sided. In all three cases, these “aggressive” rows – meaning the one that caused the bitflip in nearby “victim” rows – are accessed the same number of times.

Rohmer access patterns from previous work showing the spatial arrangement of invasive rows (in black) and victim rows (in orange and cream) in DRAM memory.
Jatke et al.
Relative activation frequency, that is, the number of times it is activated per offensive line in the Rowhammer pattern.  Note how they hammer attackers evenly.
Jatke et al.

Bypassing all in-DRAM mitigation

- Advertisement -

Research published on monday Introduced a new Rohamer technique. It uses non-uniform patterns leading up to two or more offensive lines with different frequencies. Result: All but 40 of the randomly selected DIMMs in a test pool experienced bitflips, which is up from 13 of the 42 chips tested. past work from the same researchers.

“We found that by creating special memory access patterns we can bypass all of the mitigations deployed inside DRAM,” wrote two research authors Kave Razavi and Patrick Jatke in an email. “This increases the number of devices that can potentially be hacked with known attacks to 80 percent, according to our analysis. These issues cannot be fixed due to their hardware nature and will remain undetected for many years to come. Will be with us.”

Non-uniform patterns work against target row refresh. Abbreviated as TRR, mitigation works differently from vendor to vendor, but typically tracks the number of times a row is reached and recharges neighboring victim lines when there are signs of abuse. Neutering this defense would put further pressure on chip makers to mitigate a class of attacks that many thought recent types of memory chips were resistant to.

In Monday’s paper, the researchers wrote:

The proprietary, unspecified in-DRAM TRR is currently the only mitigation between a rawhammer and attackers exploiting it in a variety of scenarios, such as browsers, mobile phones, the cloud, and even networks. In this paper, we show how deviation from known uniform Rowhammer access patterns allows attackers to flip bits on all 40 recently acquired DDR4 DIMMs, 2.6× more than the state-of-the-art. The effectiveness of these new non-uniform patterns in circumventing TRR highlights the need for a more theoretical approach to address Rohamer.

serious consequences

The effects of past Rowhammer demonstrations have been dire. In one case, researchers were able to gain unrestricted access to all physical memory by flipping bits in a page table entry, which maps memory address locations. The same research also demonstrated how untrusted applications can gain root privileges. In another case, the researchers used a rawhammer to crack a 2048-bit encryption key out of memory.

Razavi and Jatke said that one of their students was able to use the new approach to reproduce the crypto key attack, and simulations show that other attacks are also possible. Researchers have not fully implemented previous attacks due to the significant amount of engineering required.

The researchers implemented non-uniform access patterns using a custom-built “fuzzer,” which is software that detects bugs by automatically injecting malformed data into a piece of hardware or software in a quasi-random fashion. The researchers then pointed to Blacksmith, which they provided to Fuzzer, on a wide variety of DDR4 modules, which comprise about 94 percent of the DRAM market.

For our evaluation, we considered a test pool of 40 DDR4 devices covering three major manufacturers (Samsung, Micron, SK Hynix), including 4 devices that did not report their manufacturer. We let our Blacksmith Fuzzer run for 12 hours to assess effective pattern finding ability. after that we flowing Report the best pattern (based on the number of total bit flips triggered) and the number of bit flips over a contiguous memory area of ​​256 MB. The results in Table 1 show that our blacksmith fuzzer is able to trigger bit flips on all 40 DRAM devices with a large number of bit flips, particularly on devices with [two unnamed manufacturers],

We also evaluated the exploitability of these bit flips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to pivot it on an attacker-controlled page table entry, RSA. Attacking the – 2048 public key that allows recovery of the corresponding private key used to authenticate the SSH host, and attacking the password verification logic of the sudoers.so library that enables root privileges to be obtained Is.

Representatives for Micron, Samsung and Hynix did not respond to emails seeking comment for this post.

slowly gaining momentum

PCs, laptops and mobile phones were the most affected by the new findings. Cloud services such as AWS and Azure are largely protected from Rowhammer because they use higher-end chips that include a defense known as ECC, which is short for error correction code. Security works by using what is known as memory words to store redundant control bits next to the data bits inside the DIMM. CPUs use these words to quickly detect and correct flipped bits.

The ECC was originally designed to protect against a naturally occurring phenomenon in which cosmic rays flip bits in new DIMMs. After Rohamer’s appearance, the ECC grew in importance when it was demonstrated as the most effective defense. But research published in 2018 showed that, contrary to what many experts believe, ECC can also be bypassed after quenching reverse-engineering in DDR3 DIMMs.

“DDR4 systems with ECC are likely to be more absorbent after reverse-engineering the ECC functions,” said researchers Razavi and Jatke.

In addition to ETH Zurich’s Razavi and Jatke, the team behind the research also includes Qualcomm’s Victor van der Veen, VU Amsterdam’s Pietro Frigo and Stijn Günter. the title of his paper is Blacksmith: Scalable Rowhammering in the Frequency Domain,

The researchers also cited their previous TRR research, which was mentioned earlier, and the findings Here It shows that running chips in double refresh mode is a “weak solution not providing full protection” against Rohamer. The researchers also noted that the double refresh rate increases performance overhead and power consumption.

The picture that emerges from this latest research is that Rohamer still doesn’t pose much of a threat to the real world, but that an increase in attacks over the years may one day change that.

“Finally, our work confirms that DRAM vendors’ claims about Rawhammer security are false and lure you into a false sense of security,” the researchers wrote. “All currently deployed mitigations are insufficient to fully protect against Rohamer. Our new pattern shows that attackers can exploit the system more easily than previously thought.”

- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories