



Google experts have discovered a new variant of the Rowhammer attack on RAM memory cards that bypasses all current defenses.

In 2015, security researchers at Googles Project Zeroteam took advantage of the physical weaknesses of certain types of DDR DRAM (Double Data Rate Dynamic Random Access Memory) chips to hijack Intel-compatible PCs running Linux. I showed you how to do it.

By exploiting this technique, hackers can gain higher kernel privileges on the target system. Row hammer is categorized as a problem affecting some modern DRAM devices, where repeated access to a row of memory can cause bit flips on adjacent rows. , An attacker can change any value of a bit in memory.

To better understand Rowhammer’s flaws, remember that DDR memory is arranged in a row and column array. Blocks of memory are allocated to various services and applications. Implement a sandbox protection mechanism to prevent an application from accessing the memory space reserved by another application.

Bit flipping techniques caused by Rowhammer issues can be exploited to circumvent outboxes.

Vendors have devised a series of mitigations called Target Row Refresh (TRR) that prevent the row hammer effect without adversely affecting performance or power consumption.

Last year, boffin introduced a new variant of the Rowhammer attack called TRRespass that can bypass the TRR mitigation of the latest generation RAM cards.

The new half-double attack allows researchers to perform a row hammer attack that triggers a bit flip at a distance of two rows from the hammered row, instead of the standard attack used in variants of the previous attack. Demonstrated.

“It was traditionally understood that Rowhammer works at a distance of one row. When you repeatedly access a DRAM row (aggressor), bit flips are only detected in two adjacent rows (victims).” Read the published post. “However, with Half-Double, a row hammer effect was observed that propagated across adjacent adjacent columns, albeit at a reduced intensity. Three consecutive rows A, B, and C Given, I was able to attack C by sending so many accesses to A and only a handful (~ dozens) to B. “

Experts pointed out that Half-Double is a unique property of the underlying silicon substrate. This means that the electrical coupling that causes Rowhammer is a characteristic of distance.

Current generation RAM cards are even smaller. This means that the distance between memory lines is also shorter, making it easier to trigger bit flipping from longer distances.

Half-double attacks could not be prevented by security protections such as TRR, which only prevents interference between adjacent memory cells.

“Unlike TRRespass, which exploits manufacturer-dependent defensive blind spots, Half-Double is a unique property of the underlying silicon substrate.” Google concludes. “This may indicate that the electrical coupling that causes the row hammer is a characteristic of distance, which effectively strengthens as the cell shape shrinks, increasing the distance. The distance is possible. “

Google said in today’s blog that it is currently working with several semiconductor industry players to find possible solutions to the row hammer phenomenon, as it is challenging and has an industry-wide impact. Encouraged experts to participate in their efforts.

Pierluigi Paganini

(SecurityAffairs hack, PLA unit 61419)

