Rowhammer reach extended for new attack method


Google researchers have uncovered a new variation on the Rowhammer hardware attack that allows an adversary to flip transistor states from further distances than previously thought possible.

The new take on Rowhammer, dubbed “Half-Double,” shows how the attacker can turn a targeted transistor to an on or off state by repeatedly flipping transistors one and two rows over. In the security world, this poses a significant risk because it allows a “no” to become a “yes” at the lowest hardware level. An attacker could, in theory, tamper with write permissions or account access of a system, as long as the attacker had extensive knowledge of their target’s architecture and enough local access to send repeated commands to memory.

While Rowhammer has been public knowledge since 2014, previous studies have only shown the phenomena to be possible from adjacent rows. The current security measures against attacks are based on that assumption, so the Google team’s findings could throw a wrench into current-generation protections.

The culprit in this case is not a novel attack technique or a research breakthrough by hackers, but the progress chipmakers have made in recent years to shrink down their manufacturing processes.

As chip designs have become smaller and more compact in order to get additional transistors into a single dye, the distance between the transistors has grown even smaller. Rows of transistors that were normally distanced far enough apart as to not interfere with one another can now influence the state of their neighbors.

“Using Half-Double, we were able to induce errors on commercial systems using recent generations of DRAM chips, but not with older ones,” the Google researchers explained. “This is likely an indication that coupling is becoming stronger and longer-ranged as cell geometries shrink down.”

The Google researchers discovered that with the transistors packed in so tightly together on current DDR4 memory chips, the bulk of the resets needed for a Rowhammer coupling can now be conducted from two rows over rather than just one. In its research, the Google team used three different DDR4 designs from an unnamed vendor and its own in-house FPGA hardware.

By conducting thousands of switches from two rows over, then following that up with dozens on the next row to the target, they were able to switch the state of the targeted bit.

“It is based on our discovery of weak coupling between two rows that are not immediately adjacent to each other by one row removed,” the Google team wrote. “While such weak coupling by itself is not viable for an attack, we further discovered that its effect can be amplified with just a handful of accesses (dozens) to the immediate neighbor.”

The coupling effect from two rows over is important because current security designs isolate bits when they detect extremely high volumes of state changes in adjacent rows of transistors.

Because only several dozen flips were conducted in the adjacent row, the procedure does not trigger the security measures that would spot a Rowhammer attack and protect the targeted rows.

Perhaps worse, the technique will likely not only continue to work with new and upcoming chip designs, but could actually become even more effective in future memory chip designs because the coupling will likely be possible from even more lines away.

In short, the protections currently in place for Rowhammer are no longer effective, and given the rate of progress in chip fabrication methods, the threat is likely only going to increase in the coming years. As a result, Google says, companies designing DRAM chips for SoCs and system memory will need to rethink how they go about spotting and stopping possible Rowhammer attacks.

“A DRAM vendor should test a mix of hammering distances rather than only testing at individual distances,” the Google team wrote.

“In other words, hammering a single row or pair of sandwiching rows on the raw medium will not show this effect. Instead, pairs of rows on one or both sides of an intended victim need to be hammered.”

Articles You May Like

Data of 106 Million Visitors to Thailand Breached
User’s Guide to TechCrunch Disrupt 2021
Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released
Afghan Interpreters’ Data Exposed in MoD Breach
Amazon assembles video streaming apps to fight with Netflix and Disney in India

Leave a Reply

Your email address will not be published. Required fields are marked *