Google Finds New Exploit That Alters Chip MemoryLatest Rowhammer Technique Targets Design Flaws in Modern DRAM Chips
Researchers at Google have identified a new Rowhammer technique, dubbed Half-Double, which exploits design flaws in modern DRAM chips to alter their memory content.
First discovered in 2014, Rowhammer is a DRAM vulnerability in which repeated access to one address can tamper with data stored in other addresses.
"Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system," the researchers at Google note.
The 2014 paper, however, discusses the DDR3, the mainstream DRAM generation at the time. In 2015, the Mountain View, California-based company’s Project Zero, which was tasked with finding zero-day vulnerabilities, released an exploit that escalates working privilege.
In response to the exploit, chip manufacturers implemented proprietary logic in their products that attempted to track frequently accessed addresses and reactively mitigate when necessary.
2014 saw the release of DDR4, which included built-in defense mechanisms, seemingly marking the end of Rowhammer.
In 2020, however, a paper on TRRespass showed how the defenses could be neutralized through reverse engineering and by distributing access, demonstrating that Rowhammer techniques were still viable.
The SMASH report adds that the Rowhammer bug continues to threaten web users, and its insights on synchronization show that the attacker has more control than previously reported, which will make it even harder to build the proper Rowhammer defense.
Old vs. New
The old variant of Rowhammer operated at a distance of one row. When an aggressor repeatedly accessed a DRAM row, bit flips were found only in the two adjacent rows - the “victims."
In Double-Half, Google researchers observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength.
"Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (dozens) to B. Based on our experiments, accesses to B has a non-linear gating effect, in which they appear to 'transport' the Rowhammer effect of A onto C," the researchers state.
While TRRespass exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. The latter likely indicates that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down, the researchers say.
The Google report says it significantly advances the understanding of the Rowhammer phenomenon, and it will help both researchers and industry partners work together to develop lasting solutions. It adds: “The challenge is substantial and the ramifications are industry-wide."