



A team of Google security researchers said they would discover a new way to perform a Rowhammer attack on a computer memory (RAM) card, expanding the initial impact of the attack.

Row hammer, first detailed in 2014, was a breakthrough attack that exploited the design of modern RAM cards in which memory cells are stored in a grid-like arrangement.

The basic principle behind Rowhammer was that malicious apps could perform fast read / write operations on rows in memory cells. The cell shifts its value from 0 to 1 and vice versa in a very small time window, which creates a small electromagnetic field in the row of “hammered” memory cells.

These fields could result in errors in nearby memory rows, inversion of bits and alteration of adjacent data.

In the first 2014 Rowhammer treatise [PDF], Researchers have shown how to exploit “row hammer” to control these electromagnetic fields and how to manipulate data.

The first row hammer attack targeted RAMDDR3 memory cards, but scholars continued to study this topic. In the years that followed, Rowhammer attacks could also affect RAM DDR4, attacks via JavaScript code-loaded on web pages or via network packets sent directly to the computer’s network card. I also discovered that it could be done.

In addition, researchers have also found that Rowhammer attacks can be used to steal data from RAM (as well as modify data), and locally installed GPU or FPGA cards can be used to accelerate the attack. ..

Hardware vendors have responded to these attacks by deploying a set of mitigations, collectively known as Target Row Refresh (TRR). When enabled on a RAM card, TRR combines a range of hardware and software improvements to detect and mitigate the effects of row hammer attacks.

These mitigations are not perfect, and scholars last year showed that a new variation of the first Rowhammer attack named TRRespass can bypass TRR even with the latest generation of RAM cards.

Meet Half-Double, a variation of the new row hammer attack

However, in an aresearch treatise published today, a team of five Google security researchers took the Rowhammer attack to a new level.

In a new attack variation named Half-Double, researchers said they were able to perform a row hammer attack that caused a bit flip at a distance of two rows instead of one from the “hammered” row.

Image: Google

Unlike TR Respass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is a unique property of the underlying silicon substrate. This may indicate that the electrical coupling that causes the row hammer is a characteristic of distance, which effectively becomes stronger as the cell shape shrinks and the distance increases. Distances greater than 2 are possible.

Google

In other words, the Google team has seen that while RAM cards have become smaller in recent years, the distance between memory rows has also decreased, allowing the electromagnetic fields caused by Rowhammer to reach more memory cells than in the original 2014 attack. I’m saying

Looking at this, the main threat to Half-Double attacks is primarily the fact that TRR protection is designed to protect nearby memory cells rather than cells that are two rows apart. That is, Half-Double joins TRRespass as the second Rowhammer variation. You can bypass the TRR.

However, while there are no known cases of row hammer attacks being used in the real world, Google’s discovery is monumental, at least from an academic point of view.

This reaffirms that TRR is not enough to protect against Rowhammer exploits.

In today’s blog, Google said it is currently working with several semiconductor industry players to search for “possible solutions to the row hammer phenomenon.” Therefore, I encouraged him to join a fellow expert. “

