Rowhammer attack DRAM: evolution from the original to Blacksmith and bypass TRR

Depov

Moderator
Staff member
MODERATOR
ULTIMATE
SUPREME
PREMIUM
MEMBER
Joined
Feb 18, 2025
Messages
140
Reaction score
152
Deposit
0$
About 139 000 activations of the string-aggressor for a 64-millisecond refresh interval. It is necessary so much that the charge leakage in the next cell breaks the threshold voltage and turns the bit. Figure from the work of Kim et al. (Carnegie Mellon + Intel, ISCA 2014) - for the most vulnerable DDR3 modules in the test sample. The "softest" specimens up to one cell out of every 1700 was vulnerable. Since then, the Rowhammer attack DRAM has made its way from a laboratory curiosity to a full-fledged preferred escalation vector with two CVE category CRITICAL (CVSS 9.0): CVE-2020-10255 for TRRespass and CVE-2021-421114 for Blacksmith. Every time the memory manufacturers closed the next hole, the researchers found the following. The process is not over.
The location of the Rowhammer in the attack chain
Rowhammer - the technique of post-exploitation. The attacker already needs to execute the code on the target system, albeit with minimal privileges. In terms of MITRE AT&CK, it is Exploitation for Privilege Escalation (T1068, privilege-escalation): The unprivileged process through bit flip in the page table or in the kernel structures receives kernel-level access. With a successful bit flip in page table entry (PTE), the attacker achieves arbitrary reading and memory writing - Runtime Data Manipulation (T1565.003, Impact)

Full chain: initial access (malware JavaScript in the browser, execution of code in the guest VM, starting an unprivileged process) -> profiling of physical addressing DRAM -> cache bypass -> hammering target lines> bit flip -> substitution of PTE or kernel structure -> escalation to root/kernel. The final impact varies: from escaping from sandbox browser to escape from a virtual machine.

For the attacker, the Rowhammer is attractive in one property: it works without the operation of software vulnerabilities. The target software can be completely stuprored, the nucleus is in the current state. The vulnerability is inherent in silicon physics. The software has nothing to do with it.
Physics bit flip: how hardware memory vulnerability works
Each DRAM cell is a pair "capacitor + transistor". The capacitor stores a charge representing the bit of the data: charged = 1, discharged = 0 (depends on the coding scheme). The cells are combined into lines (rows), connected by a general word-line, and columns related to bit-line.

When activating the line (ACTIVATE command) word-lines the voltage on all transistors in the row, connecting capacitors to bit-line. The charge is transferred to the sense amplifier (row buffer), after which the data is restored back. This is a destructive reading - each activation triggers the discharge cycle and recharge of capacitors. When the connection to the line is complete, the PRECHARGE command deactivates word-line. The capacitors lose charge in a natural way (gate-induced drainage, subthroat), so all DRAM cells require a periodic refresh - usually every 64 ms through a dedicated REFRESH command.

The problem of Rowhammer arises from the electromagnetic interaction between physically adjacent lines. With repeated rapid activation of the string-aggressor, its word-line creates a tip on the word-line of the neighboring string-victim. This speeds up the charge leakage from the victim's capacitors. If the speed of the leakage exceeds the refrish speed, the capacitor crosses the threshold voltage - the bit turns over.

Three physical mechanisms described in the academic work on the study of DRAM:
1. Bridging is the formation of conductive channels between neighboring wire and capactor. Frequent switching word-line speeds up the charge flow between the associated cells
2. Electromagnetic communication - voltage change on the word-line aggressor indicates the noise on the neighboring word-line through a capacitive connection
3. Hot carrier injection - long-term switching of word-line leads to injection of hot media in the next lines, increasing the leak
With a decrease in the process (from 40 nm to 20 nm and below), the distance between the lines is reduced, the capacity of capacitors drops, the noise margin decreases. Each new generation of DRAM becomes more vulnerable to bit flip attacks. Manufacturers chase the density - and themselves exacerbate the problem.
Evolution of Rowhammer Attacks on DRAM
Single-sided and double-sided hammering
The original 2014 Rowhammer used single-sided hammerering: a cyclical appeal to one string-aggressor string for induction bit flip in adjacent lines. At x86 key reception - reset the cache line through clflush (or clflushopt, clwb), so that each appeal is guaranteed to go to DRAM, rather than serviced from L1/L2/L3. According to Red Hat, these instructions are unprivileged on the architectures i386 and x86_64 - hammering is available from a regular user process, from guest VM and even from JavaScript in the browser.
The Double-sided Hammering, demonstrated by the Google Project Zero in 2015, places a victim string between two aggressors. Variable activation of rows above and below the victim repeatedly increases the charge leakage rate and gives a significantly higher bit flip frequency compared to the single-sided option. At this stage, the attack has already received practical confirmation: Google Project Zero showed an escalation of privileges to root in GNU / Linux through the PTE substitution.

For both patterns, you need to know the physical layout of memory - what virtual addresses fall into which bank, row and column DRAM. The operating system does not disclose this information. The standard approach is the DRAMA technique (Pessl et al., USENIX Security 2016): reverse-engineering of DRAM functions through side addressing timing-channel. Two addresses in one bank, but in different lines they call row conflict and are served more slowly than two addresses in different banks. Measuring timing through rdtsc/rdtscp, you can restore the function of mapping virtual addresses to bank/row/column without root access.

Another accelerator is the vulnerability of SPOILER (specific for Intel processors starting from the 1st generation Core). Through speculative performance, it reveals the virtual-physical display of pages in the unprivileged process. According to Red Hat, SPOILER shortens the profiling phase from weeks to seconds. The difference is between the twist of the lock with a headbrush and the presence of a key.
Bypass TR protection: TRRespass and many-sided patterns (CVE-2020-10255)
DRAM manufacturers responded to the Rowhammer mechanism Target Row Refresh (TRR). The idea is simple: the hardware logic inside the chip tracks lines with an abnormally high activation frequency and forcibly refraction of their neighbors. The TRR can be implemented in the Memory Controller (IMC) or directly in the DRAM chip.

In practice, TRR turned out to be a zoo of proprietary implementations. Samsung, Micron and SK Hynix used different strategies without disclosing details. As TRRespass noted, “the solution that is considered a single one is actually a set of different solutions, united under the name TFR.” Worse, according to Red Hat, many machines with DDR4 TR chips are either missing or not included by default. Server platforms typically include TRR, and consumer systems may not have it at all.

In 2020, researchers from Vrije Universiteit Amsterdam and ETH Zurich presented TRRespass (CVE-2020-10255, CVSS 9.0, CRITICAL, CWE-20 - Improper Input Validation). The vulnerability affected DDR4 and LPDDR4 chips after Micron (DDR4 SDRAM, LPDDR4), Samsung (DDR4, LPDDR4) and SK Hynix (DDR4 SDRAM).

TRR is able to track a limited number of aggressors at the same time. If you use a large-sided pattern - at the same time hammerring of several strings-aggressors - the internal TR counters overflow, and part of the sentences of the victims remains without a protective refresh. TRRespass is a fuzzer for automatic selection of multiple-sided combinations for a specific implementation of TFR. In fact, the brothnake of blind areas of the defense mechanism.

CVSS-vector of both CVE (2020-10255 and 2021-42114) It is worth disassembled: AV:N/AC/C/PR:N/UI:S. AV:N (Network) in NVD rating reflects the worst-case scenario - delivery of the HTML-code via JavaScript/WebAssembly in the browser. A number of analysts consider AV:L more correct, since the attack requires the execution of the code on the target machine. AC:H (High Complexity) - the need to profil DRAM and select a pattern. S:C (Changed Scope) - going beyond the privileges of the current context.
Half-Doubble attack: bit flip through line DRAM
Before Half-Double, it was believed that Rowhammer acts only on directly adjacent lines (distance = 1 line). Google researchers in 2021 showed that with a fairly dense packing of cells bit flip, it occurs at a distance of two lines.

Mechanics: with three consecutive lines A, B and C, the attacker directs a massive number of addresses to string A and only a few dozen calls to string B. The result is bit flip in line C. Line B acts as a “conductor” of impact. As Google researchers have formulated: “the electromagnetic connection responsible for Rowhammer is a property of distance and is amplified as the geometry of cells decreases. The distance of more than two lines is also possible.”

The principal difference from TRRespass: Half-Doubble is the internal property of a silicon substrate, not a weakness of the specific implementation of the TFR. The TRR was designed to protect the aggressor’s immediate neighbors. If the effect reaches the lines through one - the defense mechanism simply does not cover the desired range. It's not a bug in the software, it's physics.
Blacksmith Rowhammer exploit: fusion non-uniform patterns (CVE-2021-421114)
Blacksmith (CVE-2021-421114CVSS 9.0, CRITICIL, CWE-20) is a work of researchers from ETH Zurich, Vrije Universiteit Amsterdam and Qualcomm Technologies, published in November 2021. The new class of non-uniform Rowhammer access patterns that bypass all the documented implementations of TRR on DDR4.

Key idea: instead of uniform hammering, all Blacksmith aggressors with the same frequency range three parameters for each pair of aggressors - Frequency (however time the string is activated) Phase (shift between activation cycles of different aggressors) and Amplitude (the number of activations in a row before switching). Synchronizing patterns with the REFRESH team, fuzzer grotes the "blind zones" of the TRR - moments when the protective mechanism is not able to properly process all the aggressors.

The result: Blacksmith caused bit flip to all 40 test modules PC-DDR4 from Samsung, Micron, SK Hynix and one unnamed manufacturer. According to the NVD, vulnerable products include the Samsung DDR4 SDRAM and LDDR4, as well as the Micron LDDR4. One hundred percent result is the sentence of THR as a concept.
Practical Reproduction: Requirements and Approach
Adjustments to the environment:
• System: x86_64 with DDR4 (PC-DDR4 or LPDDR4X)
• OS: Linux, kernel 4.15+ (support to the pages to simplify profiling)
• RAM: minimum 8 GB, recommended 16 GB (to highlight ≥1 huge GB of pages through /proc/sys/vm/nr_hugepages)
• Compiler: GCC/G++ ≥7.0, CMake ≥3.14
• Privileges: root to customize huge pages;hammering itself is performed without privileges
The core fuzzing-logics is built on the non-uniform distribution of appeals between the aggressors:
C:

for (int round = 0; round < total_rounds; round++) {
for (int i = 0; i < freq_A; i++) {
*(volatile uint64_t *)addr_aggr_A;
_mm_clflushopt(addr_aggr_A);
}
for (int j = 0; j < freq_B; j++) {
*(volatile uint64_t *)addr_aggr_B;
_mm_clflushopt(addr_aggr_B);
}
_mm_mfence();
}
The difference between uniform and non-uniform: in uniform-pattern freq_A == freq_B, in Blacksmith, each aggressor is assigned an individual frequency, phase and number of activations per round. It is this asymmetry that knocks down the THR algorithms, sharpened as symmetric access patterns. TRR awaits the same hammers - and gets jazz.
 
Top Bottom