Researchers at the ETH Zürich university in Switzerland have demonstrated that Rowhammer attacks can be conducted against dynamic random-access memory (DRAM) on systems powered by AMD Zen 2 and Zen 3 CPUs.
First discussed in 2014, Rowhammer attacks involve repeatedly accessing a row of memory in an effort to cause bit flips in adjacent rows. An attacker could use this technique to bypass memory protections, escalate privileges, and even to decrypt sensitive data. Researchers previously demonstrated that attacks can be launched remotely and against mobile devices.
The ETH Zürich researchers now claim to have achieved bit flips on DDR4 memory and for the first time ever even against DDR5. They targeted devices powered by AMD Zen 2 and Zen 3 processors, showing that AMD systems are “equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface”.
The researchers claim such attacks, which they have dubbed ZenHammer, can be conducted despite Target Row Refresh (TRR) mitigations, which should detect and prevent Rowhammer attacks by refreshing victim rows before the bits can flip.
AMD said on Monday that it’s aware of the research. The company continues to investigate some of the claims and has provided recommendations for mitigating attacks.
The ZenHammer attack, which involves having access to the targeted system, was tested against 10 DDR4 modules from Samsung, Micron and SK Hynix. The experts successfully triggered bit flips on seven DRAM devices on Zen 2 and six DRAM devices on Zen 3 systems.
“We evaluated the exploitability of these bit flips based on three attacks from previous work: (i) an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, (ii) an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, (iii) and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges,” the researchers explained.
As for the attack targeting DDR5, the researchers did manage to achieve bit flips on a single system that used AMD’s latest Zen 4 platform.
“This is the first public report of DDR5 bit flips on commodity systems in the wild,” the researchers said. “However, given that ZenHammer could not trigger flips on nine out of ten devices, we conclude that more research is necessary to find more effective patterns for DDR5 devices.”
The researchers said that while Rowhammer is a widely known issue, they did notify AMD one month prior to their disclosure.
AMD has published a security bulletin in response to the ZenHammer research, informing customers that it continues to assess the DDR5 attack claims.
The chip giant has also provided recommendations for mitigating Rowhammer-style attacks.
“AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications. Susceptibility to Rowhammer attacks varies based on the DRAM device, vendor, technology, and system settings. AMD recommends contacting your DRAM or system manufacturer to determine any susceptibility to this new variant of Rowhammer,” AMD said.
Additional details on the ZenHammer attack are available in a technical paper published by the researchers. They have also made available an open source ZenHammer fuzzer that can be used to check DRAM devices for bit flips on AMD Zen 2, 3 and 4 CPUs.
Related: Protected Virtual Machines Exposed to New ‘CacheWarp’ AMD CPU Attack
Related: Half-Double: Google Researchers Find New Rowhammer Attack Technique
Related: AMD CPU Vulnerability ‘Zenbleed’ Can Expose Sensitive Information
