New ZenHammer attack bypasses Rowhammer defenses on AMD CPUs

ReportMarch 28, 2024Editorial DepartmentHardware security/vulnerabilities

Cybersecurity researchers at ETH Zurich have developed a new variant of the RowHammer DRAM (Dynamic Random Access Memory) attack that successfully targets AMD Zen 2 for the first time despite mitigation measures such as Targeted Row Refresh (TRR). and Zen 3 systems.

The researchers said: “This result proves that AMD systems are equally vulnerable to Rowhammer attacks as Intel systems, which greatly increases the attack surface considering that AMD currently has about 36% market share in x86 desktop CPUs.”

The technology, codenamed ZenHammer, can also trigger RowHammer bit flips on DDR5 devices for the first time.

RowHammer, first publicly disclosed in 2014, is a well-known attack that exploits DRAM’s memory cell architecture to alter data by repeatedly accessing specific rows (also known as hammering), causing a cell’s charge to leak into neighboring cells.

This can cause random bit flips (from 0 to 1, or vice versa) in adjacent memory rows, thereby changing memory contents and potentially facilitating privilege escalation, compromising system credentials, integrity, and availability.

These attacks exploit the physical proximity of these cells in the memory array, a problem that is likely to become more severe as DRAM technology expands and storage density increases.

Researchers at ETH Zurich noted in a paper published in November 2022: “As DRAM continues to scale, RowHammer bit flips may occur at smaller activation counts, so DRAM rows for benign workloads Activation rates may approach or even exceed the RowHammer threshold.”

“As a result, even if no malicious party performs a RowHammer attack on the system, the system may experience bit flips or frequently trigger RowHammer defense mechanisms, resulting in data corruption or significant performance degradation.”

One of the key mitigations implemented by DRAM manufacturers for RowHammer is TRR, which is an umbrella term for the mechanism used to flush targeted rows that are determined to be accessed frequently.

The idea is to generate more memory flush operations so that the victim row is either flushed before a bit flip or corrected after a bit flip due to a RowHammer attack.

ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails on 10 sample Zen 2 devices by reverse-engineering secret DRAM address functions in AMD systems and employing improved refresh synchronization and scheduling of refresh and guard instructions. Bit flips are triggered on samples 7 and 6 in the . 10 Zen 3 devices.

The study also derived the optimal sequence of hammering instructions to increase row activation rates, thereby promoting more effective hammering.

“Our results suggest that using CLFLUSHOPT to purge the attacker from the cache with periodic loads (MOV), issued immediately after accessing the attacker (‘dispersed’ style), is the best option,” the researchers said.

ZenHammer is unique in that it is the first method to trigger bit flips on systems equipped with DDR5 chips on the AMD Zen 4 microarchitecture platform. That said, it only works on one of the 10 test devices (Ryzen 7 7700X).

It’s worth noting that DDR5 DRAM modules were previously considered immune to RowHammer attacks because they replaced TRR with a new type of protection called refresh management.

“Changes in DDR5, such as improved RowHammer mitigation, on-chip error correcting code (ECC), and higher refresh rates (32 milliseconds), make triggering bit flips more difficult,” the researchers said.

“Given that 9 out of 10 DDR5 devices lack bit flipping, more work needs to be done to better understand potential new RowHammer mitigations and their security guarantees.”

AMD said in a security advisory that it is evaluating RowHammer bit flipping on DDR5 devices and will provide an update when completed.

“AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications,” it added. “Susceptibility to RowHammer attacks varies by DRAM device, vendor, technology and system settings.”