On AMD CPUs, a novel ZenHammer attack circumvents Rowhammer resistance.
Cybersecurity researchers affiliated with ETH Zurich have created a novel iteration of the RowHammer DRAM (dynamic random-access memory) assault that has demonstrated efficacy against AMD Zen 2 and Zen 3 systems, even in the presence of countermeasures like Target Row Refresh (TRR).
“This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today’s AMD market share of around 36% on x86 desktop CPUs,” according to the investigators.
On DDR5 devices, the method known as ZenHammer can also induce RowHammer bit shifts for the first time.
The NHS health board confirms a ransomware intrusion.
In 2014, the public first learned about the widely recognized RowHammer attack, which manipulates data by repeatedly accessing a specific row (also known as “hammering”) to cause a cell’s electrical charge to escape to neighboring cells via the DRAM’s memory cell architecture.
This could cause random bit flips in adjacent memory rows (from 0 to 1, or vice versa), which could change what’s in the memory and allow someone with more rights to access it, putting the system’s credentials, integrity, and availability at risk.
The assaults exploit the physical proximity of these cells within the memory array; this issue is likely to intensify as DRAM technology continues to scale and storage density rises.
Researchers from ETH Zurich wrote in a November 2022 paper, “As DRAM continues to scale, RowHammer bit flips can occur at lower activation counts. As a result, the DRAM row activation rates of a benign workload may approach or exceed the RowHammer threshold.”
“Thus, a system may experience bit flips or frequently trigger RowHammer defense mechanisms even without a malicious party performing a RowHammer attack in the system, leading to data corruption or significant performance degradation.”
DRAM manufacturers use TRR, an omnibus term that refers to mechanisms that refresh rows identified as frequently accessed, as a critical countermeasure in response to RowHammer.
The objective is to increase the number of memory refresh operations in order to ensure that victim rows are either refreshed prior to bit flips or corrected subsequent to bit flips caused by RowHammer attacks.
Similar to TRRespass and SMASH, ZenHammer circumvents TRR guardrails by exploiting concealed DRAM address functions in AMD systems through reverse engineering. Additionally, it utilizes enhanced refresh synchronization and scheduling of flushing and fencing instructions to initiate bit flips on six out of ten Zen 3 devices and seven out of ten sample Zen 2 devices.
Additionally, the study determined an optimal hammering instruction sequence that aimed to enhance row activation rates to facilitate more efficient hammering.
The Dutch prime minister addresses Xi Jinping explicitly about cyber-espionage concerns.
“Our results showed that regular loads (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued immediately after accessing an aggressor (‘scatter’ style), are optimal,” the investigators reported.
ZenHammer holds the unique distinction of being the initial method to induce bit changes on DDR5 chip-equipped systems utilizing AMD’s Zen 4 microarchitectural platform. However, it only operates on one of the ten tested devices, the Ryzen 7 7700X.
Notably, DDR5 DRAM modules were once thought to be impervious to RowHammer attacks because they substituted TRR with refresh management, a novel form of protection.
“The changes in DDR5, such as improved RowHammer mitigations, on-die error correction code (ECC), and a higher refresh rate (32 ms), make it harder to trigger bit flip,” according to the investigators.
“We need more work to better understand the potentially new RowHammer mitigations and their security guarantees, given the lack of bit flips on nine out of 10 DDR5 devices.”
AMD stated in a security bulletin that it is evaluating RowHammer bit changes on DDR5 devices and will deliver an update once the evaluation is complete.
“AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications,” according to the company. “Susceptibility to RowHammer attacks varies based on the DRAM device, vendor, technology, and system settings.”