DDR4 remains vulnerable to RowHammer attacks despite additional protection

A team of researchers from the Free University of Amsterdam, the Swiss Higher Technical School of Zurich and Qualcomm conducted a study on the effectiveness of protection against The attacks RowHammer used in DDR4 memory chips, which allow the content of individual bits of dynamic random access memory (DRAM) to be changed.

The results were disappointing as DDR4 remain vulnerable (CVE-2020-10.255) to RowHammer, as this bug allows distorting the bit content individual memory cyclically reading data from neighboring memory cells.

Since DRAM is a two-dimensional array of cells, each of which consists of a capacitor and a transistor, continuous reading of the same memory area leads to voltage fluctuations and anomalies, causing a small loss of charge from neighboring cells. .

If the reading intensity is large enough, then the cell may lose a large enough amount of charge and the next regeneration cycle will not have time to restore its original state, which will lead to a change in the value of the data stored in the cell.

To block this effect, modern DDR4 chips use TRR technology (Target Row Refresh), which is designed to prevent cell distortion during a RowHammer attack.

The problem is that there is no unified approach to TRR implementation and each CPU and memory manufacturer interprets TRR in their own way, using their own protection options and without disclosing implementation details.

Studying the methods used by manufacturers to block RowHammer made it easy to find ways around protection.

During verification, it turned out that the "security by obscurity" principle used by manufacturers during TRR implementation only helps protect in special cases, covering typical attacks that manipulate the change in cell load in one or two adjacent rows.

The utility developed by the researchers allows us to test the susceptibility of the chips to the multilateral RowHammer attack options, in which an attempt is made to influence the loading of several rows of memory cells at the same time.

Such attacks can bypass TRR protection implemented by some manufacturers and lead to memory bit distortion even on newer computers with DDR4 memory.

Of the 42 DIMMs studied, 13 were vulnerable to non-standard RowHammer attack options, despite claimed protection. SK Hynix, Micron and Samsung launch problematic modules, whose products cover 95% of the DRAM market.

In addition to DDR4, LPDDR4 chips used in mobile devices were also studied, what they were also sensitive for advanced RowHammer attack options. In particular, the memory used in the Google Pixel, Google Pixel 3, LG G7, OnePlus 7 and Samsung Galaxy S10 smartphones was affected.

The researchers were able to reproduce various exploitation techniques on DDR4 chips troublesome.

The use of the RowHammer exploit for PTE (page table entries) required to obtain the privilege of an attack kernel within 2.3 seconds to three hours and fifteen seconds, depending on the chips being tested.

A damage attack on a RSA-2048 public key stored in memory took from 74.6 seconds to 39 minutes and 28 seconds. An attack to avoid authorization by modifying the memory of the sudo process took 54 minutes and 16 seconds.

To test DDR4 memory chips used by users, TRRespass utility released. A successful attack requires information about the layout of the physical addresses used in the memory controller in relation to banks and rows of memory cells.

To determine the layout, the drama utility was further developed, which requires starting with root privileges. In the near future, it is also planned to publish an application to test the memory of smartphones.

Intel and AMD companies recommend to protect the use of memory with error correction (ECC), memory controllers with support for MAC and apply a higher refresh rate.

Source: https://www.vusec.net


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.