BlackSmith Follows Row Hammer Attack
Share this:
Researchers have come up with yet another variation of the Rowhammer attack affecting all DRAM chips that bypasses currently deployed mitigations, thereby effectively compromising the security of the devices. dubbed Blacksmith CVE-2021-42114 is designed to trigger bit flips on target refresh rate-enabled DRAM chips with the help of novel “non-uniform and frequency-based” memory access patterns
Rowhammer refers to a fundamental hardware vulnerability that could be abused to alter or corrupt memory contents by taking advantage of DRAM’s tightly packed, matrix-like memory cell architecture to repeatedly access certain rows that induces an electrical disturbance large enough to cause the capacitors in neighboring rows to leak charge faster and flip bits stored in the “victim” rows adjacent to them.
A double-sided Rowhammer access pattern sandwiches a victim row in between two aggressor rows, maximizing the bit flips in the victim row. Another method called Half-Double, leverages the weak coupling between two memory rows that are not immediately adjacent to each other, but one row removed to tamper with data stored in memory and, in principle, even gain unfettered access to the system.
Modern memory modules come equipped with a dedicated in-memory defense mechanism called Target Row Refresh (TRR), which aims to detect the aggressor rows that are frequently accessed and refresh their neighbor before their charge leak results in data corruption, thus forestalling any possible bit flips.
Blacksmith is the latest work to join the list of methods that can completely circumvent TRR protections to activate bit errors on TRR-enabled DDR4 devices.
The approach identify complex non-uniform patterns in which different numbers of aggressor rows are hammered with different frequencies, phases and amplitudes that can still bypass TRR, with the study finding at least one pattern that triggered Rowhammer bit errors across 40 DDR4 devices from Samsung, Micron, SK Hynix, and an unnamed manufacturer.
With TRR being replaced by a new line of defense called “refresh management” in DDR5 DRAM modules, a mechanism that keeps track of activations in a bank and issues selective refreshes to highly activated rows once a threshold has been reached. The tendency in DRAM manufacturing is to make the chips denser to pack more memory in the same size which inevitably results in increased interdependency between memory cells, making Rowhammer an ongoing problem,
