Defeating present Rowhammer protections
Rowhammer is a technique of deliberately inflicting disturbance errors, or bit flips, contained in the tightly packed reminiscence cells in trendy DRAM chips. Since 2014, researchers have noticed that speedy and repeated learn operations on the identical bodily row of reminiscence cells could cause electrical prices to leak into adjoining rows altering the values saved in cells from 0 to 1 or the opposite manner round. In 2015, researchers from Google confirmed that if carried out in a managed method, this will have security implications, similar to privilege escalation in working programs between userspace and kernel or bypasses of course of sandboxes.
Rowhammer and its numerous variations found since have primarily impacted DDR3 and DDR4 reminiscence modules, with DDR5, a more moderen know-how, utilizing extra subtle mechanisms to detect and proper disturbance errors. These mitigation mechanisms are generally known as Goal Row Refresh (TRR) and contain detecting so-called aggressor rows which can be being hammered after which refreshing the adjoining sufferer rows to appropriate any bit flips that may have occurred. TRRs are current in DDR4 as effectively, however in a much less subtle and simpler to defeat implementation.
TRRs are proprietary and never publicly documented, which is why beforehand tried Rowhammer assaults in opposition to DDR5 had very restricted success. However one Rowhammer assault dubbed Zenhammer disclosed in 2024 managed to set off bit flips in considered one of 10 examined DDR5 DIMMs. By comparability, the brand new Phoenix assault managed to set off bit flips in all examined DIMMs.
