Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Google Finds New Exploit That Alters Chip Memory

Latest Rowhammer Technique Targets Design Flaws in Modern DRAM Chips
Google Finds New Exploit That Alters Chip Memory
Source: Google Security Blog

Researchers at Google have identified a new Rowhammer technique, dubbed Half-Double, which exploits design flaws in modern DRAM chips to alter their memory content.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

First discovered in 2014, Rowhammer is a DRAM vulnerability in which repeated access to one address can tamper with data stored in other addresses.

"Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system," the researchers at Google note.

The 2014 paper, however, discusses the DDR3, the mainstream DRAM generation at the time. In 2015, the Mountain View, California-based company’s Project Zero, which was tasked with finding zero-day vulnerabilities, released an exploit that escalates working privilege.

In response to the exploit, chip manufacturers implemented proprietary logic in their products that attempted to track frequently accessed addresses and reactively mitigate when necessary.

2014 saw the release of DDR4, which included built-in defense mechanisms, seemingly marking the end of Rowhammer.

In 2020, however, a paper on TRRespass showed how the defenses could be neutralized through reverse engineering and by distributing access, demonstrating that Rowhammer techniques were still viable.

Additionally, 2021 research on SMASH demonstrated exploitation from JavaScript, without invoking cache-management primitives or system calls.

The SMASH report adds that the Rowhammer bug continues to threaten web users, and its insights on synchronization show that the attacker has more control than previously reported, which will make it even harder to build the proper Rowhammer defense.

Old vs. New

The old variant of Rowhammer operated at a distance of one row. When an aggressor repeatedly accessed a DRAM row, bit flips were found only in the two adjacent rows - the “victims."

In Double-Half, Google researchers observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength.

"Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (dozens) to B. Based on our experiments, accesses to B has a non-linear gating effect, in which they appear to 'transport' the Rowhammer effect of A onto C," the researchers state.

While TRRespass exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. The latter likely indicates that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down, the researchers say.

The Google report says it significantly advances the understanding of the Rowhammer phenomenon, and it will help both researchers and industry partners work together to develop lasting solutions. It adds: “The challenge is substantial and the ramifications are industry-wide."


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.