Cybersecurity researchers from ETH Zurich have developed a brand new variant of the RowHammer DRAM (dynamic random-access reminiscence) assault that, for the primary time, efficiently works in opposition to AMD Zen 2 and Zen 3 techniques regardless of mitigations akin to Goal Row Refresh (TRR).
“This end result proves that AMD techniques are equally weak to Rowhammer as Intel techniques, which tremendously will increase the assault floor, contemplating immediately’s AMD market share of round 36% on x86 desktop CPUs,” the researchers mentioned.
The approach has been codenamed ZenHammer, which might additionally set off RowHammer bit flips on DDR5 units for the primary time.
RowHammer, first publicly disclosed in 2014, is a widely known assault that exploits DRAM’s reminiscence cell structure to change information by repeatedly accessing a selected row (aka hammering) to trigger {the electrical} cost of a cell to leak to adjoining cells.
This will induce random bit flips in neighboring reminiscence rows (from 0 to 1, or vice versa), which might alter the reminiscence contents and probably facilitate privilege escalation, compromising system credentials, integrity, and availability of a system.
The assaults make the most of the bodily proximity of those cells throughout the reminiscence array, an issue that is prone to worsen because the DRAM expertise scaling continues and the storage density will increase.
“As DRAM continues to scale, RowHammer bit flips can happen at smaller activation counts and thus a benign workload’s DRAM row activation charges can strategy and even exceed the RowHammer threshold,” ETH Zurich researchers famous in a paper revealed in November 2022.
“Thus, a system might expertise bit flips or incessantly set off RowHammer protection mechanisms even with out a malicious social gathering performing a RowHammer assault within the system, resulting in information corruption or vital efficiency degradation.”
One of many essential mitigations applied by DRAM producers in opposition to RowHammer is TRR, which is an umbrella time period used for mechanisms that refresh goal rows which are decided to be accessed incessantly.
In doing so, the concept is to generate extra reminiscence refresh operations in order that sufferer rows will both be refreshed earlier than bits are flipped or be corrected after bits are flipped on account of RowHammer assaults.
ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the key DRAM tackle capabilities in AMD techniques and adopting improved refresh synchronization and scheduling of flushing and fencing directions to set off bit flips on seven out of 10 pattern Zen 2 units and 6 out of 10 Zen 3 units.
The examine additionally arrived at an optimum hammering instruction sequence to enhance row activation charges with the intention to facilitate more practical hammering.
“Our outcomes confirmed that common masses (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued instantly after accessing an aggressor (‘scatter’ fashion), is perfect,” the researchers mentioned.
ZenHammer has the excellence of being the very first methodology that may set off bit flips on techniques geared up with DDR5 chips on AMD’s Zen 4 microarchitectural platform. That mentioned, it solely works on one of many 10 examined units (Ryzen 7 7700X).
It is value noting that DDR5 DRAM modules have been beforehand thought-about resistant to RowHammer assaults owing to them changing TRR with a brand new form of safety known as refresh administration.
“The adjustments in DDR5 akin to improved RowHammer mitigations, on-die error correction code (ECC), and the next refresh price (32 ms) make it tougher to set off bit flip,” the researchers mentioned.
“Given the dearth of bit flips on 9 of 10 DDR5 units, extra work is required to raised perceive the possibly new RowHammer mitigations and their security ensures.”
AMD, in a security bulletin, mentioned it is assessing RowHammer bit flips on DDR5 units, and that it’s going to present an replace following its completion.
“AMD microprocessor merchandise embody reminiscence controllers designed to fulfill industry-standard DDR specs,” it added. “Susceptibility to RowHammer assaults varies based mostly on the DRAM system, vendor, expertise, and system settings.”
