Google researchers released Few days ago a new RowHammer attack technique called "Half-Double", who alters the content of individual bits of dynamic memory random access (DRAM). The attack is reproduced in some modern DRAM chips, whose manufacturers have managed to reduce the geometry of the cell.
For those who do not know the kind of attack that RowHammer is, you should know that it allows distorting the content of individual bits of RAM cyclically reading data from neighboring memory cells.
Since DRAM is a two-dimensional array of cells, each of which consists of a capacitor and a transistor, taking continuous readings in the same memory area results in voltage fluctuations and anomalies, causing a small loss of charge. in neighboring cells. If the reading intensity is high enough, then the neighboring cell may lose a large enough amount of charge and the next regeneration cycle will not have time to restore its original state, which will lead to a change in the value of the stored data. .
To protect against RowHammer, chipmakers have implemented the TRR mechanism (Target Row Refresh), which protects against distortion of cells in adjacent rows.
As DDR4 became widely adopted, it seemed that Rowhammer had faded thanks in part to these built-in defense mechanisms. However, in 2020, the TRRespass document showed how to reverse engineer and neutralize defense by distributing accesses, demonstrating that Rowhammer's techniques are still viable. Earlier this year, the SMASH research went one step further and demonstrated the exploitation of JavaScript, without invoking cache management primitives or system calls.
Google researchers mention that traditionally, RowHammer was understood to operate at a distance of one row: when a row of DRAM is accessed repeatedly (the "attacker"), the bit changes are found only in the two adjacent rows (the "Victims").
But this has changed as some RowHammer attack variants have appeared and this is because the problem is that there is no unified approach to TRR implementation and each manufacturer interprets TRR in their own way, using their own protection options and without disclosing implementation details.
And this is demonstrated with the Half-Double method that allows to avoid these protections by manipulating them so that the distortion is not limited to the adjacent lines and spreads to other memory lines, although to a lesser extent.
Google engineers have shown that:
For sequential memory lines "A", "B and C", it is possible to attack line "C" with very intense access to line "A" and little activity affecting line "B". Access to line «B» «during attack, activates a non-linear load drain and allows the use of the rope» B «as transport to translate the Rowhammer effect of the rope» A «to» C «.
Unlike the TRRespass attack, which handles flaws in various implementations of the cellular distortion prevention mechanism, the attack Half-Double is based on the physical properties of the silicon substrate. Half-Double shows that the likely effects of charge leakage leading to RowHammer are distance dependent, rather than direct cell adhesion.
With a decrease in cell geometry in modern chips, the radius of influence of distortions also increases, so it is possible that the effect can be observed at a distance of more than two lines. It is observed that, together with the JEDEC Association, several proposals have been developed to analyze possible ways to block this type of attack.
The method has been revealed because Google believes the study conducted significantly broadens understanding of the Rowhammer phenomenon and emphasizes the importance of bringing together researchers, chipmakers, and other stakeholders to develop a comprehensive, long-term security solution.
Finally If you are interested in knowing more about it, you can check the details In the following link.