Cybersecurity researchers from ETH Zurich have developed a brand new variant of the RowHammer DRAM (dynamic random-access reminiscence) assault that, for the primary time, efficiently works in opposition to AMD Zen 2 and Zen 3 programs regardless of mitigations similar to Goal Row Refresh (TRR).
“This consequence proves that AMD programs are equally susceptible to Rowhammer as Intel programs, which significantly will increase the assault floor, contemplating at the moment’s AMD market share of round 36% on x86 desktop CPUs,” the researchers stated.
The approach has been codenamed ZenHammer, which might additionally set off RowHammer bit flips on DDR5 units for the primary time.
RowHammer, first publicly disclosed in 2014, is a well known assault that exploits DRAM’s reminiscence cell structure to change information by repeatedly accessing a selected row (aka hammering) to trigger {the electrical} cost of a cell to leak to adjoining cells.
This may induce random bit flips in neighboring reminiscence rows (from 0 to 1, or vice versa), which might alter the reminiscence contents and doubtlessly facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.
The assaults make the most of the bodily proximity of those cells inside the reminiscence array, an issue that is prone to worsen because the DRAM know-how scaling continues and the storage density will increase.
“As DRAM continues to scale, RowHammer bit flips can happen at smaller activation counts and thus a benign workload’s DRAM row activation charges can method and even exceed the RowHammer threshold,” ETH Zurich researchers famous in a paper revealed in November 2022.
“Thus, a system could expertise bit flips or incessantly set off RowHammer protection mechanisms even and not using a malicious celebration performing a RowHammer assault within the system, resulting in information corruption or vital efficiency degradation.”
One of many essential mitigations applied by DRAM producers in opposition to RowHammer is TRR, which is an umbrella time period used for mechanisms that refresh goal rows which might be decided to be accessed incessantly.
In doing so, the thought is to generate extra reminiscence refresh operations in order that sufferer rows will both be refreshed earlier than bits are flipped or be corrected after bits are flipped as a result of RowHammer assaults.
ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the key DRAM tackle features in AMD programs and adopting improved refresh synchronization and scheduling of flushing and fencing directions to set off bit flips on seven out of 10 pattern Zen 2 units and 6 out of 10 Zen 3 units.
The research additionally arrived at an optimum hammering instruction sequence to enhance row activation charges as a way to facilitate simpler hammering.
“Our outcomes confirmed that common masses (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued instantly after accessing an aggressor (‘scatter’ type), is perfect,” the researchers stated.
ZenHammer has the excellence of being the very first methodology that may set off bit flips on programs geared up with DDR5 chips on AMD’s Zen 4 microarchitectural platform. That stated, it solely works on one of many 10 examined units (Ryzen 7 7700X).
It is price noting that DDR5 DRAM modules have been beforehand thought of resistant to RowHammer assaults owing to them changing TRR with a brand new type of safety referred to as refresh administration.
“The modifications in DDR5 similar to improved RowHammer mitigations, on-die error correction code (ECC), and a better refresh price (32 ms) make it tougher to set off bit flip,” the researchers stated.
“Given the dearth of bit flips on 9 of 10 DDR5 units, extra work is required to higher perceive the doubtless new RowHammer mitigations and their safety ensures.”
AMD, in a safety bulletin, stated it is assessing RowHammer bit flips on DDR5 units, and that it’ll present an replace following its completion.
“AMD microprocessor merchandise embody reminiscence controllers designed to fulfill industry-standard DDR specs,” it added. “Susceptibility to RowHammer assaults varies primarily based on the DRAM gadget, vendor, know-how, and system settings.”