2021 11 15
Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks.
Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.
All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these “aggressor” rows—meaning those that cause bitflips in nearby “victim” rows—are accessed the same number of times.
Bypassing all in-DRAM mitigations
Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers.
“We found that by creating special memory access patterns we can bypass all mitigations that are deployed inside DRAM,” Kaveh Razavi and Patrick Jattke, two of the research authors, wrote in an email. “This increases the number of devices that can potentially be hacked with known attacks to 80 percent, according to our analysis. These issues cannot be patched due to their hardware nature and will remain with us for many years to come.”
The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the mitigation works differently from vendor to vendor but generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse. The neutering of this defense puts further pressure on chipmakers to mitigate a class of attacks that many people thought more recent types of memory chips were resistant to.
In Monday’s paper, the researchers wrote:
Proprietary, undocumented in-DRAM TRR is currently the only mitigation that stands between Rowhammer and attackers exploiting it in various scenarios such as browsers, mobile phones, the cloud, and even over the network. In this paper, we show how deviations from known uniform Rowhammer access patterns allow attackers to flip bits on all 40 recently-acquired DDR4 DIMMs, 2.6× more than the state of the art. The effectiveness of these new non-uniform patterns in bypassing TRR highlights the need for a more principled approach to address Rowhammer.
The effects of previous Rowhammer demonstrations have been serious. In one case, researchers were able to gain unrestricted access to all physical memory by flipping bits in the page table entry, which maps the memory address locations. The same research also demonstrated how untrusted applications could gain root privileges. In another case, researchers used Rowhammer to pluck a 2048-bit encryption key out of memory.
Razavi and Jattke said that one of their students was able to use the new approach to reproduce the crypto key attack, and simulations suggest that the other attacks are also possible. The researchers haven’t fully implemented the previous attacks because of the significant amounts of engineering required.
The researchers implemented the non-uniform access patterns using a custom-built “fuzzer,” which is software that detects bugs by automatically injecting malformed data in a semi-random fashion into a piece of hardware or software. The researchers then pointed Blacksmith, the name they gave to the fuzzer, at a wide variety of DDR4 modules that comprise about 94 percent of the DRAM market.
For our evaluation, we considered a test pool of 40 DDR4 devices covering the three major manufacturers (Samsung, Micron, SK Hynix), including 4 devices that did not report their manufacturer. We let our Blacksmith fuzzer run for 12 hours to assess its capability to find effective patterns. Thereafter, we swept the best pattern (based on the number of total bit flips triggered) over a contiguous memory area of 256 MB and report the number of bit flips. The results in Table 1 show that our Blacksmith fuzzer is able to trigger bit flips on all 40 DRAM devices with a large number of bit flips, especially on devices of [two unnamed manufacturers].
We also evaluated the exploitability of these bit flips based on three attacks from previous work: an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges.
Representatives of Micron, Samsung, and Hynix didn’t respond to emails seeking comment for this post.
Gradually gaining speed
PCs, laptops, and mobile phones are most affected by the new findings. Cloud services such as AWS and Azure remain largely safe from Rowhammer because they use higher-end chips that include a defense known as ECC, short for Error Correcting Code. The protection works by using what are known as memory words to store redundant control bits next to the data bits inside the DIMMs. CPUs use these words to quickly detect and repair flipped bits.
ECC was originally designed to protect against a naturally occurring phenomenon in which cosmic rays flip bits in newer DIMMs. After Rowhammer appeared, ECC’s importance grew when it was demonstrated to be the most effective defense. But research published in 2018 showed that, contrary to what many experts believed, ECC can also be bypassed after reverse-engineering the mitigation in DDR3 DIMMs.
“DDR4 systems with ECC will likely be more exploitable, after reverse-engineering the ECC functions,” researchers Razavi and Jattke said.
Besides Razavi and Jattke of ETH Zurich, the team behind the research also includes Victor van der Veen of Qualcomm, Pietro Frigo of VU Amsterdam, and Stijn Gunter. The title of their paper is BLACKSMITH: Scalable Rowhammering in the Frequency Domain.
The researchers also cited their past TRR research, mentioned earlier, and findings here that show that running chips in double refresh mode is a “weak solution not providing complete protection” against Rowhammer. The researchers also said that a double refresh rate increases performance overhead and power consumption.
The picture that emerges from this latest research is that Rowhammer still doesn’t pose much of a real-world threat now but that the incremental advances in attacks made over the years could one day change that.
“Concluding, our work confirms that the DRAM vendors’ claims about Rowhammer protections are false and lure you into a false sense of security,” the researchers wrote. “All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed.”