Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix.
A Rowhammer attack works by repeatedly accessing specific rows of memory cells at high-speed read/write operations to cause enough electrical interference to alter the value of the nearby bits from one to zero and vice-versa (bit flipping).
An attacker could potentialluy corrupt data, increase their privileges on the system, execute malicious code, or gain access to sensitive data.
One defense mechanism against Rowhammer attacks is called Target Row Refresh (TRR), which prevents bit flips by issuing an extra refresh command when detecting frequent accesses to a particular row.
Hammering DDR5 for privilege escalation
A team of researchers in the Computer Security Group (COMSEC) at ETH Zurich University in Switzerland and Google created a new DDR5 Rowhammer attack they call Phoenix, which can flip bits in memory chips to enable malicious activity.
The tests were carried out on DDR5 products from Hynix, one of the largest memory chip makers with an estimated 36% of the market, but the security risk may extend to products from other vendors as well.
After reverse-engineering the complex protections that Hynix implemented against Rowhammer and learning how they worked, the researchers discovered that certain refresh intervals were not sampled by the mitigation, which could be exploited.
They also developed a method for Phoenix to track and synchronize with thousands of refresh operations by self-correcting when it detects a missed one.
To evade TRR protections, the Rowhammer patterns in the Phoenix attack cover 128 and 2608 refresh intervals and hammer specific activation slots only at precise moments.
... continue reading