Google researchers discovered a new variant of Rowhammer attacks, dubbed “Half-Double,” that allows bypassing all current defenses.
In 2015, security researchers at Google’s Project Zero team demonstrated how to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips.
By exploiting the technique, dubbed “rowhammer” the hackers can obtain higher kernel privileges on the target system. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.
To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.
Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.
Vendors devised a set of mitigations known as Target Row Refresh (TRR) that prevent the row hammer effect without negatively impacting performance or power consumption.
Last year, boffin demonstrated a new variant of the Rowhammer attack, dubbed TRRespass, that could bypass the TRR mitigations on the latest generation of RAM cards.
In the new Half-Double attack, researchers demonstrated that it is possible to perform a Rowhammer attack that triggers bit flips at a distance of two rows from the hammered row instead of the canonical one used in previous variants of the attack.
“Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”).” reads the post published by Google. “However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B.”
Experts pointed out that Half-Double is an intrinsic property of the underlying silicon substrate, this means that the electrical coupling responsible for Rowhammer is a property of distance.
The current generation of RAM cards is becoming, even more, smaller, which means that the distance between memory rows was also decreasing making it easier to trigger bit flipping from a larger distance.
Half-Double attacks could not be prevented by security protections like TRR that only prevent interferences between adjacent memory cells.
“Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate.” concludes Google. “This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.”
blog post today, Google said that it is currently working with several semiconductor industry players to search “possible solutions for the Rowhammer phenomenon,” and encouraged fellow experts to join their efforts, as “the challenge is substantial and the ramifications are industry-wide.”
(SecurityAffairs – hacking, PLA Unit 61419)