DDR4 memory protections are broken wide open by new Rowhammer technique

Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks.

Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.

All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these “aggressor” rows—meaning those that cause bitflips in nearby “victim” rows—are accessed the same number of times.

Rowhammer access patterns from previous work, showing spatial arrangement of aggressor rows (in black) and victim rows (in orange and cream) in DRAM memory.
Rowhammer access patterns from previous work, showing spatial arrangement of aggressor rows (in black) and victim rows (in orange and cream) in DRAM memory.
Jattke et al.
Relative activation frequency, i.e., number of ACTIVATEs per aggressor row in a Rowhammer pattern. Notice how they hammer aggressors uniformly.
Relative activation frequency, i.e., number of ACTIVATEs per aggressor row in a Rowhammer pattern. Notice how they hammer aggressors uniformly.
Jattke et al.

Bypassing all in-DRAM mitigations

Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work from the same researchers.

[…]

The effects of previous Rowhammer demonstrations have been serious. In one case, researchers were able to gain unrestricted access to all physical memory by flipping bits in the page table entry, which maps the memory address locations. The same research also demonstrated how untrusted applications could gain root privileges. In another case, researchers used Rowhammer to pluck a 2048-bit encryption key out of memory.

[…]

Source: DDR4 memory protections are broken wide open by new Rowhammer technique | Ars Technica

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft