Study: DDR4 memory considered “invulnerable” is affected by Rowhammer vulnerability
American researchers from the company Third I / O at a conference in China Semicon China presented a report in which they said that DDR4 chips are also vulnerable to Rowhammer vulnerabilities. Previously, it was believed that memory of this type is not affected by this vulnerability, which was discovered in the spring of 2015 by information security specialists from Google.
What is the problem
In a March 2015 description of the Rowhammer exploitation technique, researchers from the Project Zero Google team said that the problem is changing the values of individual data bits (bit flipping) stored in the DIMM modules of DDR3 chips.
DDR memory is an array of row and column blocks. They are accessed by various applications and the operating system. Each large piece of memory has its own “sandbox”, access to which can only be a certain process or application.
If you run software that will hundreds and thousands of times in a split second access specific lines in such areas ("tapping" them, like with a hammer - hence the name hammering), then due to certain physical phenomena, this can affect the neighboring memory area. This can lead to a change in the values of bits in it from zeros to ones and vice versa.
By gaining the ability to influence the content of even locked memory areas, attackers can carry out attacks that lead to privilege escalation up to administrative ones. Accordingly, it is possible to run malicious code or intercept the actions of users or programs.
The problem is more serious
Many DDR4 chip companies, such as Micron and Samsung, have stated that their products are not vulnerable due to the use of TRR (Targeted Row Refresh) technology.
Researchers from Third I / O decided to test the validity of these statements and tested 12 varieties of DDR4 chips - and quite quickly in 8 cases they managed to change the bit values. Among the vulnerable chips were Micron and Geil products, and G.Skill products managed to pass the tests.
During testing, we used a tool created in Third I / O called Memesis, with which researchers, among other things, launched a large number of processes working with one piece of memory. Unlike previous experiments with a repetition of the Rowhammer attack, this time the researchers “tapped” not only memory areas in which cells contained only zeros or ones. They managed to develop the so-called “data pattern killer”, which in some cases allowed to increase the frequency of changes in the values in bits by 50% compared with other patterns.
In hexadecimal form, it looks like this:
In binary, like this:
0100100100100100100100100100100100100100100100100100100100100100 1001001001001001001001001001001001001001001001001001001001001001 0010010010010010010010010010010010010010010010010010010010010010
The tests were also successful in the case of DDR3 chips with Rowhammer protection called ECC (error-correction code).
Despite the small selection of chips, the researchers are convinced that they were able to prove the reproducibility of the Rowhammer attack for DDR4 memory, which was previously considered impossible.
Not so bad
Despite the threats identified by various researchers over the past year since the discovery of Rowhammer, carrying out such an attack is not an easy task. Technical Director and Co-Founder of Third I / O Mark Lanteigne told Ars Technica that at the moment there is no “current operational threat”, but in general, the existing picture is far from as cloudless as the press releases of chip manufacturers draw.
Researchers say the goal of their work is to demonstrate that the risk of bit flipping attacks is real. This means that DDR3 and DDR4 chip makers should pay more attention to the safety of their products.