When we speak of security exploits, we usually refer to software that take advantage of vulnerabilities in other software. Rowhammer, however, is a rare breed. Discovered almost exactly a year ago, it involved software exploiting vulnerability in hardware, in this case, dual in-line memory modules or DIMMs, in order to affect a change in software. The exploit had chip makers scrambling to get the latest DDR4 chips out the door. But apparently, the security comforts they offered were based on a presumption that researchers are now proving to be false.
DDR4 is currently the latest RAM technology available to the consumer market. Most marketing materials will mention its speed advantages over the previous but still in use DDR3. But to system administrators and security experts, DDR4 also offered another advantage. In theory, it included technology that rendered Rowhammer exploits useless. At least, in theory.
Rowhammer was a rather unique tactic that employed a phenomenon called bitflipping. All computer data and processes can be boiled to bits, 0s and 1s. Bitflipping would “flip” these values, turning 0s to 1s and vice versa, by hammering rows of data, hence the name, on the DIMM until it flips the values. It might sound innocuous, but Google’s Project Zero vulnerability team demonstrated how targeting certain regions in memory could, eventually, give programs admin privileges or bypass software security measures.
DDR3 was found to be particularly susceptible to this bitflipping phenomenon. DDR manufacturers then started touting the DDR4 to be more robust and better protected against Rowhammer, employing techniques such as targeted row refresh (TRR) that made DIMMs more resilient to hammering attacks. Even later DDR3 chips were enhanced with features such as error-correction code or ECC to address Rowhammer. At the Semicon China Conference, Texas-based company Third I/O delivered a paper that said otherwise. It ran tests on both enterprise-grade DDR3 as well as DDR4, using Rowhammering techniques not employed since last year’s discovery. The result was that DDR4 chips were found to be just as vulnerable as the previous generation. None of those, save for Taiwanese G.Skill’s chips, were immune from Rowhammer.
The good news is that an actually exploit for Rowhammer doesn’t yet exist outside labs, making it less likely to be the next widespread malware. Third I/O, however, would like DDR manufacturers to review the situation and not to be overly confident that they have solved the Rowhammer problem for good.
VIA: Ars Technica