Google security researchers have demonstrated a new type of the Rowhammer attack that bypasses all current defenses to tamper with data stored in memory.
Discovered in 2014, Rowhammer attacks are a class of DRAM (dynamic random access memory) vulnerabilities. During a Rowhammer attack, attackers use malicious code that repeatedly accesses the same “row” of transistors (“an aggressor”) on a memory chip in a fraction of a second in a process called Hammering. This causes electrical charge leaks from the target row to an adjacent one which causes data loss.
A new hammering technique dubbed by researchers as “Half-Double” is based on the weak coupling between two memory rows that are not adjacent to each other but one row apart or even two. Researchers explain the difference between a previously known hammering technique TRRespass (after Target Row Refresh) and the new one:
“Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate,” the researchers noted. “This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.”
Countermeasures like Target Row Refresh (TRR) devised by DRAM manufacturers are limited to two immediate neighbors of an aggressor row, thus ineffective for memory cells distanced apart. Thus TRR in DDR4 cards can be circumvented in new Rowhammer attacks like TRRespass and SMASH.
This list is expanded by the distance-two assisted Rowhammer Half-Double.
“Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B,” the researchers explained.
Google is currently working with the Joint Electron Device Engineering Council (JEDEC) and other industry partners to work out solutions for the new Rowhammer exploit.
“To evaluate the effectiveness of a [SoC-level] mitigation, a DRAM vendor should test a mix of hammering distances rather than only testing at individual distances,” the researchers said. “In other words, hammering a single row or a pair of sandwiching rows on the raw medium will not show this effect. Instead, pairs of rows on one or both sides of an intended victim need to be hammered.”