Major security vulnerabilities found in DRAM

November 15, 2021 // By Nick Flaherty
Blacksmith security vulnerabilities found in DRAM
Researchers at ETH Zurich tested 40 DRAM memory modules and found major vulnerabilities

Researchers in Switzerland have discovered major vulnerabilities in DRAM memory devices.

The team at ETH Zurich found that potentially harmful bit errors can be induced by “hammering” different memory rows at different frequencies. The vulnerabilities have now been published together with the Swiss National Cyber Security Centre, which for the first time has assigned an identification number for it.

The team, led by Kaveh Razavi at ETH Zurich, together with colleagues at the Vrije Universiteit Amsterdam and Qualcomm Technologies, discovered the fundamental vulnerabilities they call Blacksmith. The vulnerability ranks 9 on a scale of 1 to 10.

“An underlying, well-​known problem with DRAMs is called Rowhammer and has been known for several years,” said Razavi. By repeatedly activating – or “hammering” – a memory row (the “aggressor”), an attacker can induce bit errors in a neighbouring row, also called the “victim” row. That bit error can then, in principle, be exploited to gain access to restricted areas inside the computer system – without relying on any software vulnerability.

“This is an unavoidable consequence of the constantly increasing density of electronic components on the DRAM chips”, says Patrick Jattke, a PhD student in Razavi’s group at the Department for Information Technology and Electrical Engineering.

“After Rowhammer was first discovered around ten years ago, chip manufacturers implemented mitigation measures inside the DRAM modules in order to solve the problem,” said Razavi. “Unfortunately, the problem still hasn’t been solved.”

This Target Row Refresh (TRR) mitigation consists of different circuits built into the memory that can detect unusually high activation frequencies of particular rows and hence guess where an attack is being launched. As a countermeasure, a control circuit then refreshes the presumed victim row prematurely and hence forestalls possible bit errors. Previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across Virtual Machines in the cloud, and even over the network.

Razavi and his colleagues found that this hardware-​based “immune system” only detects rather simple attacks, such as double-​sided attacks where two memory rows adjacent to a victim row are targeted but can still be fooled by more sophisticated hammering. They devised software called “Blacksmith” that systematically tries out complex hammering patterns in which different numbers of rows are activated with different frequencies, phases and amplitudes at different points in the hammering cycle. After that, it checks if a particular pattern led to bit errors.

“We saw that for all of the 40 different DRAM memories we tested, Blacksmith could always find a pattern that induced Rowhammer bit errors,” he said.

As a consequence, current DRAM memories are potentially exposed to attacks for which there is no line of defence until chip manufacturers find ways to update mitigation measures on future generations of DRAM chips.

 “We obviously want to make the world safer, and we believe that it is important that potential victims be aware of this kind of threat so that they can make informed choices.” These victims are unlikely to be ordinary users, as there are much simpler ways to hack most computers, but he points to nation states or powerful organisations that could use such attacks for high-​profile targets. To give producers time to react to the new vulnerabilities, Razavi and his colleagues already informed them several months ago.

In the future, the ETH researchers want to explore even more sophisticated ways of inducing bit errors. That could help chip manufacturers to test their devices and address all possible hammering attacks. “Of course, although we are releasing code that shows how to trigger bit errors, we are not currently disclosing any code that abuses these errors,” said Razavi.

comsec.ethz.ch/research/dram/blacksmith/Swiss Support Center for Cybersecurity (SSCC).

Related articles

Other articles on eeNews Europe

Picture: 
Some of the DRAM modules tested by ETH Zurich with Blacksmith

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.