Cybersecurity researchers from ETH Zurich have developed a brand new variant of the RowHammer DRAM (dynamic random-access reminiscence) assault that, for the primary time, efficiently works in opposition to AMD Zen 2 and Zen 3 programs regardless of mitigations reminiscent of Goal Row Refresh (TRR).
“This consequence proves that AMD programs are equally weak to Rowhammer as Intel programs, which drastically will increase the assault floor, contemplating right this moment’s AMD market share of round 36% on x86 desktop CPUs,” the researchers mentioned.
The method has been codenamed ZenHammer, which might additionally set off RowHammer bit flips on DDR5 gadgets for the primary time.
RowHammer, first publicly disclosed in 2014, is a well-known assault that exploits DRAM’s reminiscence cell structure to change information by repeatedly accessing a selected row (aka hammering) to trigger {the electrical} cost of a cell to leak to adjoining cells.
This could induce random bit flips in neighboring reminiscence rows (from 0 to 1, or vice versa), which might alter the reminiscence contents and doubtlessly facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.
The assaults benefit from the bodily proximity of those cells inside the reminiscence array, an issue that is more likely to worsen because the DRAM know-how scaling continues and the storage density will increase.
“As DRAM continues to scale, RowHammer bit flips can happen at smaller activation counts and thus a benign workload’s DRAM row activation charges can method and even exceed the RowHammer threshold,” ETH Zurich researchers famous in a paper printed in November 2022.
“Thus, a system might expertise bit flips or ceaselessly set off RowHammer protection mechanisms even and not using a malicious social gathering performing a RowHammer assault within the system, resulting in information corruption or vital efficiency degradation.”
One of many essential mitigations carried out by DRAM producers in opposition to RowHammer is TRR, which is an umbrella time period used for mechanisms that refresh goal rows which might be decided to be accessed ceaselessly.
In doing so, the concept is to generate extra reminiscence refresh operations in order that sufferer rows will both be refreshed earlier than bits are flipped or be corrected after bits are flipped because of RowHammer assaults.
ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the key DRAM deal with features in AMD programs and adopting improved refresh synchronization and scheduling of flushing and fencing directions to set off bit flips on seven out of 10 pattern Zen 2 gadgets and 6 out of 10 Zen 3 gadgets.
The examine additionally arrived at an optimum hammering instruction sequence to enhance row activation charges to be able to facilitate more practical hammering.
“Our outcomes confirmed that common masses (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued instantly after accessing an aggressor (‘scatter’ fashion), is perfect,” the researchers mentioned.
ZenHammer has the excellence of being the very first technique that may set off bit flips on programs geared up with DDR5 chips on AMD’s Zen 4 microarchitectural platform. That mentioned, it solely works on one of many 10 examined gadgets (Ryzen 7 7700X).
It is value noting that DDR5 DRAM modules have been beforehand thought-about proof against RowHammer assaults owing to them changing TRR with a brand new type of safety referred to as refresh administration.
“The adjustments in DDR5 reminiscent of improved RowHammer mitigations, on-die error correction code (ECC), and the next refresh fee (32 ms) make it more durable to set off bit flip,” the researchers mentioned.
“Given the shortage of bit flips on 9 of 10 DDR5 gadgets, extra work is required to raised perceive the possibly new RowHammer mitigations and their safety ensures.”
AMD, in a safety bulletin, mentioned it is assessing RowHammer bit flips on DDR5 gadgets, and that it’ll present an replace following its completion.
“AMD microprocessor merchandise embrace reminiscence controllers designed to satisfy industry-standard DDR specs,” it added. “Susceptibility to RowHammer assaults varies primarily based on the DRAM gadget, vendor, know-how, and system settings.”