"Serious Security Vulnerabilities in DRAM Devices"
Researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies discovered serious vulnerabilities in DRAM devices widely used in computers, tablets, and smartphones. Rowhammer has been an underlying problem with DRAM for several years. It is an attack in which a fundamental weakness of DRAM is exploited. All data stored in DRAM is volatile and must be refreshed more than ten times per second because DRAM chips only use a single capacitor-transistor pair to store and access one bit of information. Over time, the capacitors leak charge. The computer will not know whether the value of the stored bit was 1 or 0 once the capacitors have leaked too much charge. In addition, each time a memory row is activated to be read or written onto, the currents flowing inside the chip can cause the capacitors in neighboring rows to leak charge faster. This was pointed out as an unavoidable consequence of the continuously growing density of electronic components contained by DRAM chips. An attacker can repeatedly activate or hammer a memory row to induce bit errors in a neighboring row. In principle, that bit error can be exploited to gain access to a computer's restricted areas. Following the discovery of Rowhammer, chip manufacturers have tried solving the problem by implementing mitigation measures in DRAM modules. However, the problem remains as the researchers found that the Target Row Refresh (TRR) mitigation developed to address the Rowhammer problem is weak. The TRR mitigation involves different circuits built into the memory that can detect unusually high activation frequencies of certain rows, thus helping guess where an attack is occurring. A control circuit refreshes the presumed victim row prematurely, forestalling possible bit errors as a countermeasure. The researchers found that this hardware-based immune system only detects simple attacks. They devised a software called Blacksmith, which systematically tries out complex hammering patterns at different points in the hammering cycle then checks if a particular pattern led to bit errors. For all of the 40 different DRAM devices tested, Blacksmith always found a pattern that induced Rowhammer bit errors. This article continues to discuss the testing of DRAM devices that led to the discovery of serious security vulnerabilities.
ETH Zurich reports "Serious Security Vulnerabilities in DRAM Devices"