Rowhammer exploits that allow unauthorized attackers to modify or damage data stored on vulnerable memory chips are now possible on virtually all DDR4 modules, thanks to a new approach defense chip manufacturers have added to make their wares more resistant to such attacks.
Rowhammer attacks work by accessing or hammering into physical rows in vulnerable chips, millions of times per second, in ways that cause bits in adjacent rows to flip, meaning 1’s turn into 0’s and vice versa. Researchers have shown that the attacks can be used to grant untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to prevent malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.
All previous Rowhammer attacks have hammered rows of uniform patterns such as single-sided, double-sided, or n-sided. In all three cases, these “aggressor” rows – that is, the rows that cause bitflips in nearby “victim” rows – are opened the same number of times.
Bypass all in-DRAM restrictions
Research published Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows of different frequencies. The result: All 40 randomly selected DIMMs in a test pool experienced bitflips, an increase of 13 from the 42 chips tested in previous work by the same researchers.
“We found that by creating special memory access patterns, we can circumvent any limitations implemented in DRAM,” Kaveh Razavi and Patrick Jattke, two of the study authors, wrote in an email. “This increases the number of devices potentially hacked with known attacks by up to 80 percent, according to our analysis. These issues are unpatchable due to their hardware nature and will remain with us for many years to come.”
The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the throttling works differently from vendor to vendor, but generally tracks the number of times a row is used and loads adjacent rows of victims when there are signs of abuse. Spaying this defense puts pressure on chipmakers to weaken a class of attacks that many people believed more recent types of memory chips were resistant.
In Monday’s paper, the researchers wrote:
Patented, undocumented in-DRAM TRR is currently the only constraint between Rowhammer and attackers who exploit it in various scenarios, such as browsers, mobile phones, the cloud and even over the network. In this article, we show how deviations from known uniform Rowhammer access patterns allow attackers to flip bits on all 40 recently acquired DDR4 DIMMs, 2.6× more than the prior art. The effectiveness of these new non-uniform patterns in circumventing TRR highlights the need for a more principled approach to tackling Rowhammer.
The effects of previous Rowhammer demonstrations were severe. In one case, researchers were able to gain unrestricted access to all physical memory by flipping bits in the page table, which maps the memory address locations. The same study also showed how untrusted applications could be given root privileges. In another case, researchers used Rowhammer to pluck a 2048-bit encryption key from memory.
Razavi and Jattke said one of their students could use the new approach to reproduce the crypto key attack, and simulations suggest the other attacks are also possible. The researchers have not fully implemented the previous attacks due to the significant amount of engineering required.
The researchers implemented the non-uniform access patterns using a custom “fuzzer,” software that detects bugs by automatically injecting malformed data into a piece of hardware or software in a semi-random manner. The researchers then pointed Blacksmith, the name they gave the fuzzer, to a wide variety of DDR4 modules that make up about 94 percent of the DRAM market.
For our review, we considered a test pool of 40 DDR4 devices for the three major manufacturers (Samsung, Micron, SK Hynix), including 4 devices that did not report their manufacturer. We ran our Blacksmith fuzzer for 12 hours to assess its ability to find effective patterns. After that, we swept the best pattern (based on the number of total bit-flips triggered) over a contiguous 256MB area of memory and report the number of bit-flips. The results in Table 1 show that our Blacksmith fuzzer can trigger bitflips on all 40 DRAM devices with a high number of bitflips, especially on devices from [two unnamed manufacturers]†
We also evaluated the exploitability of these bitflips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to turn it to an attacker-controlled page table page, an attack on the RSA-2048 public key which can recover the associated private key used to authenticate to an SSH host, and an attack on the password authentication logic of the sudoers.so library that can gain root privileges.
Representatives from Micron, Samsung and Hynix did not respond to emails requesting comment for this post.
Gradually gaining speed
PCs, laptops and mobile phones are the most affected by the new findings. Cloud services like AWS and Azure remain largely safe from Rowhammer because they use more advanced chips with a defense known as ECC, short for Error Correcting Code. The protection works by using so-called memory words to store redundant control bits in addition to the data bits in the DIMMs. CPUs use these words to quickly detect and repair flipped bits.
ECC was originally designed to protect against a naturally occurring phenomenon where cosmic rays flip bits in newer DIMMs. After Rowhammer appeared, ECC’s importance grew as it was shown to be the most effective defense. But research published in 2018 found that, contrary to popular belief, ECC can also be bypassed after reverse engineering the limitation in DDR3 DIMMs.
“DDR4 systems with ECC are likely to be more exploitable after reverse engineering the ECC functions,” said researchers Razavi and Jattke.
In addition to Razavi and Jattke from ETH Zurich, the team behind the research also includes Victor van der Veen from Qualcomm, Pietro Frigo from VU Amsterdam and Stijn Gunter. The title of their paper is: BLACKSMITH: scalable row hammering in the frequency domain†
The researchers also cited their previous TRR study, mentioned earlier, and findings here showing that running chips in double refresh mode is a “weak solution that doesn’t provide complete protection” against Rowhammer. The researchers also said that double the refresh rate increases performance overhead and power consumption.
The picture emerging from this latest research is that Rowhammer still isn’t much of a threat right now, but that increasing advances in attacks made over the years could someday change that.
“In conclusion, our work confirms that the DRAM vendors’ claims about Rowhammer protections are false and lure you into a false sense of security,” the researchers wrote. “All measures currently deployed are insufficient to fully protect against Rowhammer. Our new patterns show that attackers can exploit systems more easily than previously believed.”