Study: DDR4, considered “invulnerable”, is vulnerable to Rowhammer vulnerability

American researchers from the company Third I / O at the Semicon China conference held in China presented a report in which they told that DDR4 chips are also vulnerable to Rowhammer vulnerabilities. It was previously believed that this type of memory is not affected by this vulnerability, which was discovered in the spring of 2015 by information security specialists from Google.

What is the problem

In a description of the exploitation of the Rowhammer vulnerability published in March 2015, researchers from the Project Zero Google team said that the problem lies in changing the values ​​of individual data bits (bit flipping) stored in DIMM modules of DDR3 chips.
')
DDR memory is an array of block-separated rows and columns. These are accessed by various applications and operating systems. Each large area of ​​memory has its own sandbox, which can be accessed only by a specific process or application.

If you run the software, which will turn hundreds and thousands of times in a split second to specific lines in such areas (“knocking” them like a hammer, hence the name hammering), then, as a result of certain physical phenomena, this may affect the next memory segment. This can lead to a change in the values ​​of bits in it from zero to one and vice versa.

Having the opportunity to influence the content of even blocked areas of memory, attackers can carry out attacks that lead to elevation of privileges up to administrative ones. Accordingly, it is possible to launch malicious code or intercept actions of users or programs.

Subsequently, other researchers have discovered a way to exploit the Rowhammer vulnerability using JavaScript code that uses a large number of sites to deliver content to users. Despite the limitations of this exploit - it only worked on a Lenovo x230 Ivy Bridge laptop with standard settings and a Haswell chip, the fact of a software attack using the physical shortcomings of vulnerable DIMMs is remarkable.

The problem is more serious

Many DDR4 chip makers, such as Micron and Samsung, have stated that their products are not vulnerable due to the use of TRR (Targeted Row Refresh) technology.

Researchers from Third I / O decided to test the validity of these statements and tested 12 varieties of DDR4 chips — and quite quickly in 8 cases they managed to change the values ​​of the bits. Among the vulnerable chips were Micron and Geil products, and G.Skill products managed to withstand tests.

During testing, a tool called Memesis created in Third I / O was used, with the help of which researchers, including, started a large number of processes working with one section of memory. Unlike the previous experiments with the repetition of the Rowhammer attack, this time the researchers "knocked" not only the memory areas, the cells in which contained only zeros or ones. They managed to develop a so-called “data killer pattern”, which in some cases allowed to increase the frequency of changes in bit values ​​by 50% compared with other patterns.

In hexadecimal form, it looks like this:

492492492492492492492492492492492492492492492492 

In binary like this:

 0100100100100100100100100100100100100100100100100100100100100100 1001001001001001001001001001001001001001001001001001001001001001 0010010010010010010010010010010010010010010010010010010010010010 

The tests were also successful in the case of DDR3 chips with protection from Rowhammer called ECC (error-correction code).

Despite the small sample of chips, the researchers are convinced that they were able to prove the reproducibility of the Rowhammer attack for DDR4 memory, which was previously considered impossible.

Not so bad

Despite the threats identified by various researchers over the past year since the discovery of Rowhammer, conducting such an attack is not an easy task. Third I / O technical director and co-founder Mark Lanteigne told Ars Technica that at the moment there is no “actual threat of exploitation”, but in general, the existing picture is not as cloudless as the press releases of chip manufacturers draw.

Researchers say that the purpose of their work is to demonstrate the fact that the risk of attacks using bit flipping is real. So, manufacturers of DDR3 and DDR4 chips should pay more attention to the safety of their products.