[German]Security researchers from ETH Zürich has developed a new Rowhammer technique – using fuzzing – to bypass DDR4 memory protections and flip memory cells. That technique, called Blacksmith, allows an unprivileged process to change or corrupt data stored in RAM cells. This new technique also allows to bypass DDR4 memory protections methods developed so far.
Advertising
Rowhammer is the name of a vulnerability caused by leaking charges in DRAM cells allowing an attack method developed a few years ago to access RAM memory cells from an unprivileged process and flip cells (1s turn to 0s and vice versa – see Design flaw in Intel CPUs set operating systems at risk). DRAM is uses in notebooks, smartphones, tablet pcs and many more electronic devices to store data volatile. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR).
Now security researchers from ETH Zurich, led by Kaveh Razavi, has developed together with colleagues at Vrije Universiteit Amsterdam and Qualcomm Technologies, a new Rowhammer technique, called Blacksmith. Using fuzzing, they was able to bypass DDR4 memory protections and flip memory cells for all 40 DDR4 RAM chip types.
Their previous work showed that the new n-sided patterns can still trigger bit flips on 31% of today's PC-DDR4 devices. They then proposed a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. They have implement these patterns in a Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in a test pool. Further, their work provides new insights on the deployed mitigations, as they discussed here. Arstechica and Bleeping Computer has articles with a summary of the new technique. The following video shows the technique.
(Source: YouTube)
Advertising
Their research findings, discussed within this article, have been accepted for publication at a prestigious IT security conference, and the National Cyber Security Center (NCSC) has assigned a CVE (Common Vulnerabilities and Exposures) number to them. This is the first time a CVE identification number has been assigned by the NCSC in Switzerland (see box below). On a scale of 0 to 10, the severity of the vulnerability was rated 9. This has serious consequences, because the researchers was able, to gain unrestricted access to all physical memory by flipping bits in the page table entry. This allowed it to change data and retrieve also a 2048-bit encryption key out of memory.
