Cybersecurity researchers from ETH Zurich have developed a brand new variant of the RowHammer DRAM (dynamic random-access reminiscence) assault that, for the primary time, efficiently works in opposition to AMD Zen 2 and Zen 3 techniques regardless of mitigations equivalent to Goal Row Refresh (TRR).
“This consequence proves that AMD techniques are equally susceptible to Rowhammer as Intel techniques, which enormously will increase the assault floor, contemplating right now’s AMD market share of round 36% on x86 desktop CPUs,” the researchers mentioned.
The approach has been codenamed ZenHammer, which may additionally set off RowHammer bit flips on DDR5 units for the primary time.
RowHammer, first publicly disclosed in 2014, is a widely known assault that exploits DRAM’s reminiscence cell structure to change knowledge by repeatedly accessing a particular row (aka hammering) to trigger {the electrical} cost of a cell to leak to adjoining cells.
This could induce random bit flips in neighboring reminiscence rows (from 0 to 1, or vice versa), which may alter the reminiscence contents and probably facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.
The assaults reap the benefits of the bodily proximity of those cells inside the reminiscence array, an issue that is more likely to worsen because the DRAM expertise scaling continues and the storage density will increase.
“As DRAM continues to scale, RowHammer bit flips can happen at smaller activation counts and thus a benign workload’s DRAM row activation charges can strategy and even exceed the RowHammer threshold,” ETH Zurich researchers famous in a paper printed in November 2022.
“Thus, a system could expertise bit flips or often set off RowHammer protection mechanisms even with no malicious get together performing a RowHammer assault within the system, resulting in knowledge corruption or important efficiency degradation.”
One of many essential mitigations carried out by DRAM producers in opposition to RowHammer is TRR, which is an umbrella time period used for mechanisms that refresh goal rows which can be decided to be accessed often.
In doing so, the concept is to generate extra reminiscence refresh operations in order that sufferer rows will both be refreshed earlier than bits are flipped or be corrected after bits are flipped because of RowHammer assaults.
ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the key DRAM handle features in AMD techniques and adopting improved refresh synchronization and scheduling of flushing and fencing directions to set off bit flips on seven out of 10 pattern Zen 2 units and 6 out of 10 Zen 3 units.
The examine additionally arrived at an optimum hammering instruction sequence to enhance row activation charges with the intention to facilitate simpler hammering.
“Our outcomes confirmed that common masses (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued instantly after accessing an aggressor (‘scatter’ fashion), is perfect,” the researchers mentioned.
ZenHammer has the excellence of being the very first technique that may set off bit flips on techniques outfitted with DDR5 chips on AMD’s Zen 4 microarchitectural platform. That mentioned, it solely works on one of many 10 examined units (Ryzen 7 7700X).
It is value noting that DDR5 DRAM modules had been beforehand thought-about proof against RowHammer assaults owing to them changing TRR with a brand new form of safety known as refresh administration.
“The adjustments in DDR5 equivalent to improved RowHammer mitigations, on-die error correction code (ECC), and a better refresh price (32 ms) make it tougher to set off bit flip,” the researchers mentioned.
“Given the shortage of bit flips on 9 of 10 DDR5 units, extra work is required to raised perceive the doubtless new RowHammer mitigations and their safety ensures.”
AMD, in a safety bulletin, mentioned it is assessing RowHammer bit flips on DDR5 units, and that it’ll present an replace following its completion.
“AMD microprocessor merchandise embrace reminiscence controllers designed to satisfy industry-standard DDR specs,” it added. “Susceptibility to RowHammer assaults varies primarily based on the DRAM machine, vendor, expertise, and system settings.”