Researchers defeat 'Rowhammer' attack mitigations

Users should not be lulled into a false sense of security and assume the dynamic random access memory (DRAM) close to processors is secure from Rowhammer attacks that can leak sensitive information to unpriviledged users, researchers say.

Researchers at the Swiss Federal Institute of Technology in Zürich (ETH) have discovered that despite mitigations, it is still possible to leak DRAM charges in cells, allowing attackers to trigger bit flips in these.

DRAM vendors have tried to mitigate against such Rowhammer attacks by using a so-called Target Row Refresh (TRR) technique, the implementation of which appears to vary between different manufacturers.

The researchers devised a new approach with non-uniform and frequency-based access patterns to bypass TRR, and making their Blacksmith fuzzer (Github) work against all DRAM sticks they tested, covering 94 percent of the market.

Using pricier error correction code (ECC) memory makes Rowhammer exploitation harder, but does not provide complete protection.

The attacks can be deployed with common user-interfacing applications, such as web browsers running Javascript, virtual machines at cloud computing providers, on smartphones and over networks, the researchers said.

"Concluding, our work confirms that the DRAM vendors’ claims about Rowhammer protections are false and lure you into a false sense of security," they said.

"All currently deployed mitigations are insufficient to fully protect against Rowhammer.

"Our novel patterns show that attackers can more easily exploit systems than previously assumed."

Other researchers such as VUsec have published prior analysis with ETH that suggests the TRR mitigations are not sufficient to address Rowhammer attacks.

Samsung, SK Hynix and Micron have confirmed the ETH researchers' findings, along with Intel, AMD, Microsoft, Oracle and Google.