Row hammer
Row hammer (also written as rowhammer) is a computer security exploit that takes advantage of an unintended and undesirable side effect in
The row hammer effect has been used in some privilege escalation computer security exploits,[2][4][5][6] and network-based attacks are also theoretically possible.[7][8]
Different hardware-based techniques exist to prevent the row hammer effect from occurring, including required support in some processors and types of DRAM memory modules.[9][10]
Background
In
Memory cells (blue squares in both illustrations) are further organized into
As a result of storing data bits using capacitors that have a natural discharge rate, DRAM memory cells lose their state over time and require periodic
Overview
Increased densities of
The opportunity for the row hammer effect to occur in DDR3 memory
A variant called double-sided hammering involves targeted activations of two DRAM rows surrounding a victim row: in the illustration provided in this section, this variant would be activating both yellow rows with the aim of inducing bit flips in the purple row, which in this case would be the victim row. Tests show that this approach may result in a significantly higher rate of disturbance errors, compared to the variant that activates only one of the victim row's neighboring DRAM rows.[4][18]: 19–20 [19]
As DRAM vendors have deployed mitigations, patterns had to become more sophisticated to bypass row hammer mitigations. More recent row hammer patterns include non-uniform, frequency-based patterns.[20] These patterns consist of many double-sided aggressors pairs where each of them is hammered with a different frequency, phase, and amplitude. Using this and synchronizing patterns with the REFRESH command, it is possible to very effectively determine "blind spots" where the mitigation is not able to provide protection anymore. Based on this idea, academics built a row hammer fuzzer named Blacksmith[21] that can bypass existing mitigations on all DDR4 devices.
Mitigation
Different methods exist for more or less successful detection, prevention, correction or mitigation of the row hammer effect. Tests show that simple
A less effective solution is to introduce more frequent memory refreshing, with the
Since the release of
The
Due to their necessity of huge numbers of rapidly performed DRAM row activations, row hammer exploits issue large numbers of uncached memory accesses that cause
Version 5.0 of the
Implications
Memory protection, as a way of preventing processes from accessing memory that has not been assigned to each of them, is one of the concepts behind most modern operating systems. By using memory protection in combination with other security-related mechanisms such as protection rings, it is possible to achieve privilege separation between processes, in which programs and computer systems in general are divided into parts limited to the specific privileges they require to perform a particular task. Using privilege separation can also reduce the extent of potential damage caused by computer security attacks by restricting their effects to specific parts of the system.[35][36]
Disturbance errors (explained in the
Exploits
hammer:
mov (X), %eax // read from address X
mov (Y), %ebx // read from address Y
clflush (X) // flush cache for address X
clflush (Y) // flush cache for address Y
mfence
jmp hammer
|
A snippet of x86 assembly code that induces the row hammer effect (memory addresses X and Y must map to different DRAM rows in the same memory bank)[1]: 3 [4][18]: 13–15
|
The initial research into the row hammer effect, published in June 2014, described the nature of disturbance errors and indicated the potential for constructing an attack, but did not provide any examples of a working security exploit.[1] A subsequent October 2014 research paper did not imply the existence of any security-related issues arising from the row hammer effect.[16]
On March 9, 2015,
The second exploit revealed by Project Zero runs as an unprivileged
clflush
a privileged machine instruction, this exploit can hardly be mitigated on computers that do not use hardware with built-in row hammer prevention mechanisms. While testing the viability of exploits, Project Zero found that about half of the 29 tested laptops experienced disturbance errors, with some of them occurring on vulnerable laptops in less than five minutes of running row-hammer-inducing code; the tested laptops were manufactured between 2010 and 2014 and used non-ECC DDR3 memory.[2][4][37]In July 2015, a group of security researchers published a paper that describes an
In October 2016, researchers published DRAMMER, an Android application that uses row hammer, together with other methods, to reliably gain root access on several popular smartphones.
In May 2021, a Google research team announced a new exploit, Half-Double that takes advantage of the worsening physics of some of the newer DRAM chips.[49]
In March 2024, a group of researchers at
See also
- Memory scrambling– memory controller feature that turns user data written to the memory into pseudo-random patterns
- Radiation hardening – the act of making electronic components resistant to damage or malfunctions caused by ionizing radiation
- Single event upset– a change of state caused by ions or electromagnetic radiation striking a sensitive node in an electronic device
- Soft error – a type of error involving erroneous changes to signals or data but no changes to the underlying device or circuit
Notes
- memory refresh interval becomes roughly seven times shorter than the default of 64 ms.[15]: 17, 26
References
- ^ IEEE. Retrieved March 10, 2015.
- ^ a b c d e f Goodin, Dan (March 10, 2015). "Cutting-edge hack gives super user status by exploiting DRAM weakness". Ars Technica. Retrieved March 10, 2015.
- ^ a b Ducklin, Paul (March 12, 2015). "'Row hammering' – how to exploit a computer by overworking its memory". Sophos. Retrieved March 14, 2015.
- ^ a b c d e f g Seaborn, Mark; Dullien, Thomas (March 9, 2015). "Exploiting the DRAM rowhammer bug to gain kernel privileges". googleprojectzero.blogspot.com. Retrieved March 10, 2015.
- ^ "Using Rowhammer bitflips to root Android phones is now a thing". Ars Technica. Retrieved October 25, 2016.
- ^ Swati Khandelwal (May 3, 2018). "GLitch: New 'Rowhammer' Attack Can Remotely Hijack Android Phones". The Hacker News. Retrieved May 21, 2018.
- ^ Mohit Kumar (May 10, 2018). "New Rowhammer Attack Can Hijack Computers Remotely Over the Network". The Hacker News. Retrieved May 21, 2018.
- ^ Swati Khandelwal (May 16, 2018). "Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests". The Hacker News. Retrieved May 21, 2018.
- ^ a b Marcin Kaczmarski (August 2014). "Thoughts on Intel Xeon E5-2600 v2 Product Family Performance Optimisation – Component selection guidelines" (PDF). Intel. p. 13. Retrieved March 11, 2015.
- ^ a b Greenberg, Marc (October 15, 2014). "Reliability, Availability, and Serviceability (RAS) for DDR DRAM interfaces" (PDF). memcon.com. pp. 2, 7, 10, 20, 27. Archived from the original (PDF) on July 5, 2016. Retrieved March 11, 2015.
- ^ a b c "Lecture 12: DRAM Basics" (PDF). utah.edu. February 17, 2011. pp. 2–7. Retrieved March 10, 2015.
- ^ a b "Understanding DRAM Operation" (PDF). IBM. December 1996. Archived from the original (PDF) on August 29, 2017. Retrieved March 10, 2015.
- ^ David August (November 23, 2004). "Lecture 20: Memory Technology" (PDF). cs.princeton.edu. pp. 3–5. Archived from the original (PDF) on May 19, 2005. Retrieved March 10, 2015.
- ^ Bianca Schroeder; Eduardo Pinheiro; Wolf-Dietrich Weber (June 25, 2009). "DRAM Errors in the Wild: A Large-Scale Field Study" (PDF). cs.toronto.edu. ACM. Retrieved March 10, 2015.
- ^ a b c d e Yoongu Kim; Ross Daly; Jeremie Kim; Chris Fallin; Ji Hye Lee; Donghyuk Lee; Chris Wilkerson; Konrad Lai; Onur Mutlu (June 24, 2014). "Flipping Bits in Memory Without Accessing Them: DRAM Disturbance Errors" (PDF). ece.cmu.edu. Retrieved March 10, 2015.
- ^ S2CID 14464953.
- ^ Yoongu Kim; Ross Daly; Jeremie Kim; Chris Fallin; Ji Hye Lee; Donghyuk Lee; Chris Wilkerson; Konrad Lai; Onur Mutlu (July 30, 2015). "RowHammer: Reliability Analysis and Security Implications" (PDF). ece.cmu.edu. Retrieved August 7, 2015.
- ^ a b c d e f g Mark Seaborn; Thomas Dullien (August 6, 2015). "Exploiting the DRAM rowhammer bug to gain kernel privileges: How to cause and exploit single bit errors" (PDF). Black Hat. Retrieved August 7, 2015.
- ^ Andy Greenberg (March 10, 2015). "Googlers' Epic Hack Exploits How Memory Leaks Electricity". Wired. Retrieved March 17, 2015.
- ^ IEEE. Retrieved November 9, 2022.
- ^ Blacksmith Rowhammer Fuzzer, November 2, 2022, retrieved November 9, 2022
- ISBN 978-1-5386-6660-9. Retrieved May 30, 2022.
- ^ VUsec, Systems and Network Security Group (November 11, 2018). "ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All". Vrije Universiteit Amsterdam. Retrieved May 30, 2022.
- ^ "Row Hammer Privilege Escalation (Lenovo Security Advisory LEN-2015-009)". Lenovo. August 5, 2015. Retrieved August 6, 2015.
- IEEE. Archived from the original(PDF) on March 11, 2015. Retrieved March 11, 2015.
- ^ a b "JEDEC standard JESD209-4A: Low Power Double Data Rate (LPDDR4)" (PDF). JEDEC. November 2015. pp. 222–223. Retrieved January 10, 2016.
- ^ Kishore Kasamsetty (October 22, 2014). "DRAM scaling challenges and solutions in LPDDR4 context" (PDF). memcon.com. p. 11. Archived from the original (PDF) on June 3, 2016. Retrieved January 10, 2016.
- ^ Omar Santos (March 9, 2015). "Mitigations Available for the DRAM Row Hammer Vulnerability". cisco.com. Retrieved March 11, 2015.
- ^ Marc Greenber (March 9, 2015). "Row Hammering: What it is, and how hackers could use it to gain access to your system". synopsys.com. Retrieved January 10, 2016.
- ^ Jung-Bae Lee (November 7, 2014). "Green Memory Solution (Samsung Investors Forum 2014)" (PDF). teletogether.com. Samsung Electronics. p. 15. Retrieved January 10, 2016.
- ^ "JEDEC standard JESD79-4A: DDR4 SDRAM" (PDF). JEDEC. November 2013. Retrieved January 10, 2016.
- ^ "Data Sheet: 4 Gb ×4, ×8 and ×16 DDR4 SDRAM Features" (PDF). Micron Technology. November 20, 2015. pp. 48, 131. Archived from the original (PDF) on February 10, 2018. Retrieved January 10, 2016.
- ^ Nishad Herath; Anders Fogh (August 6, 2015). "These are Not Your Grand Daddy's CPU Performance Counters: CPU Hardware Performance Counters for Security" (PDF). Black Hat. pp. 29, 38–68. Retrieved January 9, 2016.
- ^ "PassMark MemTest86 – Version History". memtest86.com. February 13, 2015. Retrieved March 11, 2015.
- ^ Pehr Söderman (2011). "Memory Protection" (PDF). csc.kth.se. Retrieved March 11, 2015.
- ^ Niels Provos; Markus Friedl; Peter Honeyman (August 10, 2003). "Preventing Privilege Escalation" (PDF). niels.xtdnet.nl. Retrieved March 11, 2015.
- ^ ZDNet. Retrieved March 11, 2015.
- ^ Murat Balaban (June 6, 2009). "Buffer Overflows Demystified" (TXT). enderunix.org. Retrieved March 11, 2015.
- ^ "CLFLUSH: Flush Cache Line (x86 Instruction Set Reference)". renejeschke.de. March 3, 2013. Archived from the original on December 3, 2017. Retrieved August 6, 2015.
- ^ Daniel Gruss; Clémentine Maurice (July 27, 2015). "IAIK/rowhammerjs: rowhammerjs/rowhammer.js at master". github.com. Retrieved July 29, 2015.
- arXiv:1507.06955 [cs.CR].
- ^ David Auerbach (July 28, 2015). "Rowhammer security exploit: Why a new security attack is truly terrifying". slate.com. Retrieved July 29, 2015.
- ^ Alix Jean-Pharuns (July 30, 2015). "Rowhammer.js Is the Most Ingenious Hack I've Ever Seen". Motherboard.
- ^ Dan Goodin (August 4, 2015). "DRAM 'Bitflipping' exploit for attacking PCs: Just add JavaScript". Ars Technica.
- ^ VUSec (October 2016). "DRAMMER: FLIP FENG SHUI GOES MOBILE". Retrieved January 21, 2017.
- ^ NIST National Vulnerability Database (NVD). "CVE-2016-6728 Detail".
- ISBN 9783319934105
- ^ "RAMPAGE AND GUARDION - Vulnerabilities in modern phones enable unauthorized access". Retrieved June 30, 2018.
- ^ "Introducing Half-Double: New hammering technique for DRAM Rowhammer bug". Google. May 25, 2021. Retrieved December 2, 2021.
- ^ Toulas, Bill. "New ZenHammer memory attack impacts AMD Zen CPUs". BleepingComputer. Retrieved March 26, 2024.
- ^ "ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms". Computer Security Group. Retrieved March 26, 2024.
External links
- Some notes on DRAM (#rowhammer), March 9, 2015, by Robert Graham
- Rowhammer hardware bug threatens to smash notebook security,
InfoWorld
, March 9, 2015, by Serdar Yegulalp - DDR3 Memory Known Failure Mechanism called "Row Hammer" on YouTube, July 17, 2014, by Barbara Aichinger
- Patent US 20140059287 A1: Row hammer refresh command, February 27, 2014, by Kuljit Bains et al.
- Row Hammer Privilege Escalation Vulnerability, Cisco Systemssecurity advisory, March 11, 2015
- ARMOR: A run-time memory hot-row detector, The University of Manchester, by Mohsen Ghasempour et al.
- Using Memory Errors to Attack a Virtual Machine, March 6, 2003, by Sudhakar Govindavajhala and Andrew W. Appel
- A program for testing for the DRAM "rowhammer" problem, source code on GitHub