Researchers have created a new fuzzing-based approach known as ‘Blacksmith,’ which revives Rowhammer vulnerability attacks against current DRAM chips while avoiding existing mitigations. The introduction of this new Blacksmith approach shows that today’s DDR4 modules are subject to exploitation, enabling a wide range of attacks.
Rowhammer is a security flaw that depends on the leakage of electrical charges between neighboring memory cells to allow a threat actor to flip 1s and 0s and modify the memory’s content. This sophisticated attack may circumvent all software-based security safeguards, resulting in privilege escalation, memory corruption, and other issues.
It was found in 2014, and two functional privilege escalation exploits based on the researcher were already accessible within a year. Gradually, this became a common issue, and Android programs were created to get root access by exploiting the Rowhammer vulnerability on devices.
In March 2020, academic researchers demonstrated that a bypass was achievable, indicating that the mitigations used to solve this bit-flipping vulnerability were insufficient. Manufacturers have included a set of mitigations known as “Target Row Refresh” (TRR), which were mostly successful in preventing attacks on the then-new DDR4 memory. TRRespass was the name of the attack employed against it, and it was another fuzzing-based approach that successfully uncovered acceptable Rowhammering patterns.
‘TRRespass’ was able to detect successful patterns in 14 of the 40 DIMMs examined, achieving a success rate of around 37.5 percent. ‘Blacksmith,’ on the other hand, discovered successful Rowhammer patterns on all 40 DIMMs tested.
This time, the researchers’ strategy was to look for non-uniform structures that might overcome TRR rather than approaching the hammering patterns evenly. The team created frequency-based Rowhammer patterns using order, regularity, and intensity parameters, then sent them to the Blacksmith fuzzer to identify workable values.
The fuzzer ran for 12 hours and came up with the best settings for a Blacksmith strike. The researchers were able to do bit flips over a 256 MB contiguous memory space using these values. The researchers applied test attacks to extract private keys for public RSA-2048 keys used to authenticate to an SSH host, proving that this may be exploited in real-world scenarios.
According to Comsec, while employing ECC DRAM makes exploitation more complex, it may not protect against Rowhammer techniques.
Newer DDR5 DRAM modules are currently on the market, and their use is expected to rise rapidly in the coming years. TRR is replaced with “refresh management,” a mechanism that maintains track of activations in a bank and gives selected refreshes whenever a threshold is met. Thus, Rowhammer may not be as big of a problem in DDR5. Scalable fuzzing on a DDR5 DRAM chip would be much more difficult and probably ineffective, although that remains to be seen.