Cybersecurity researchers have demonstrated yet another variation of the Rowhammer attack that affects all DRAM (dynamic random-access memory) chips, bypassing currently implemented attenuations and thereby effectively compromising device security.
The new technology – called “Blacksmith” (CVE-2021-42114, CVSS score: 9.0) – is designed to trigger bit flips on target update rate-enabled DRAM chips using new “non-uniform and frequency-based” memory access patterns , according to a study published by academics from ETH Zurich, Vrije Universiteit Amsterdam and Qualcomm Technologies.
Rowhammer, originally unveiled in 2014, refers to a basic hardware vulnerability that could be exploited to alter or corrupt memory contents by exploiting DRAM’s densely packed, matrix-like memory cell architecture to repeatedly access certain rows (also called “aggressors”). , which induces an electrical disturbance large enough to cause the capacitors in the adjacent rows to leak faster and flip-bits stored in the “victim” rows next to them.
A double-sided Rowhammer access pattern places a victim row between two aggressor rows, maximizing bit flips in the victim row. Another method, called Half-Double, as established by Google researchers earlier in May, exploits the weak link between two memory rows that are not immediately adjacent but a row removed to manipulate data stored in memory and in principle even gain unhindered access to the system.
To counter attacks of this kind, modern memory modules are equipped with a dedicated in-memory defense mechanism called Target Row Refresh (TRR), which aims to detect the aggressor ranks that are frequently accessed and update their neighbors before their charge leak results in data corruption , which prevents any bit flips.
Recent research, such as TRRespass, SMASH, and Half-Double, has found that TRR-based mitigation alone is insufficient to fully protect devices against Rowhammer attacks. Blacksmith is the latest work to join the list of methods that can completely bypass TRR protection to enable bit errors on TRR-enabled DDR4 devices.
The approach involves performing a series of experiments to identify complex “non-uniform” patterns, where different numbers of aggressor rows are hammered with different frequencies, phases, and amplitudes that can still bypass TRR, where the study finds at least one pattern that triggered Rowhammer bit errors. across 40 DDR4 devices from Samsung, Micron, SK Hynix and an unnamed manufacturer.
That said, there may be a light at the end of the tunnel, which with TRR will be replaced by a new line of defense called “refresh management” in DDR5 DRAM modules, a mechanism that “keeps track of activations in a bank and issues selective updates to highly activated rows when a threshold is reached. “
“The trend in DRAM manufacturing is to make the chips denser to pack more memory of the same size, which inevitably results in increased interdependence between memory cells, making Rowhammer a persistent problem,” Google’s open source team said last week, in parallel. with announcing what is called. Rowhammer Tests the platform to “experiment with new types of attacks and find better Rowhammer reduction techniques.”