For the last few years we’ve learned of Rowhammer and related hacks that exploit wrinkles in the design of contemporary DRAM memory chips to reveal hidden information.
These techniques are mind bendingly obscure, taking advantage of the complexity of today’s chips. It may look like a simple memory, but it’s actually a complex computer with all kinds of stuff going on. And, as always, complexity is opportunity for hackers.
If you read the official security bulletins, you’ll see that there are recommended mitigations and countermeasures. I’ve wondered just how effective these supposed protections really are.
This fall researchers at ETH Zurich report that they are not effective at all [1].
Sigh.
Basically, the initial wave of published and “mitigated” Rowhammer-like attacks are uniform hammering patterns. This approach maximizes the payoff for the attacker. Mitigation schemes generally detect the highly regular pattern of an attack, and work to stop the attack once detected.
The new research examines non-uniform beatings. I.e., the series of hits can vary in order, regularity, and intensity. This variability opens up a huge design space of possible attack patterns, and defies simple pattern recognition by a defender. To explore this huge attack surface, the research searched for and identified the most effective attacks.
They built a system to generate complex attack patterns. They describe their ‘Blacksmith’ tool as generating patterns “in the frequency domain”. Rather than a time consuming reverse engineering process, they used an empirical search.
“We design a series of experiments that start by fully randomizing the patterns and gradually discovering the essential properties that make them successful.”
([1], p. 2)
This approach discovered patterns that worked for every chip tested. The chips are different, and the exact flaws exploited are probably different—if they are even known. But there was always some pattern that breaks things.
Notably, there is always a pattern that breaks things even with the current “mitigation” measures in place.
Honestly, I love this methodology. They effectively bet that every DRAM is vulnerable to rowhammering, even if we don’t know exactly how the innards work. And they won the bet 100% of the time, so far.
So cool!
This is bad news for chip companies. It seems unlikely that these attacks can be mitigated. Basically every computer on Earth remains vulnerable to Rowhammer attacks, and will remain so forever.
The only solution is a new generation of chips that are built better. But that won’t fix everything we are already using.
Designers of new chips would be well advised to use methods like ‘Blacksmith’ in development, no?
The good news is, as the researchers say, “there are much simpler ways to hack most computers”, such as viruses, phishing, and other garden variety attacks [2]. Rowhammer is mainly a threat to hardened, highly secured systems that can’t be attacked easily.
- Patrick Jattke, Victor Veen, Pietro Frigo, Stijn Gunter, and Kaveh Razavi, Scalable Rowhammering in the Frequency Domain, in IEEE Symposium on Security and Privacy. 2022. https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf
- Oliver Morsch, Serious security vulnerabilities in computer memories, in ETH Zurich – News & Events, November 15, 2021. https://ethz.ch/en/news-and-events/eth-news/news/2021/11/serious-security-vulnerabilities-in-computer-memories.html
Robert McGrath's Blog 
2 thoughts on “DRAM Security Holes Persist”