Recently, security researchers have developed a new fuzzing-based technology, called Blacksmith, that can “resurrect” the Rowhammer exploit, bypassing the mitigations of modern DRAM (Dynamic Random Access Memory) devices. . This new Blacksmith technology is proven to easily make DDR4 modules vulnerable.
Rowhammer is a security vulnerability that relies on charge leakage between adjacent memory cells, enabling threat actors to flip 1s and 0s and change the contents of memory, a phenomenon known as bit flips, which can exploited to gain higher privileges. This powerful attack leveraging Rowhammer can bypass all software-based security mechanisms, resulting in privilege escalation, memory corruption, and more.
This attack method was discovered in 2014, and over time, the Rowhammer vulnerability became a common problem. In March 2020, the mitigations used to address the bit-flipping issue were exposed, and academic researchers demonstrated that it could be bypassed, and manufacturers subsequently implemented a set of mitigations called Target Row Refresh (TRR) that protected The new DDR4 at the time was immune to attacks.
The attackers then developed another fuzzing-based technique for TRR, dubbed TRRespass, which successfully found a usable Rowhammering attack.
Fuzz testing finds a new way
TRRespass was able to find 14 valid patterns among 40 tested DIMMs with a success rate of about 37.5%. However, Blacksmith found a valid Rowhammer attack pattern in all DIMMs tested. The trick used by the researchers this time is not to implement the Rowhammer attack through a consistent structure, but to explore non-uniform structures that can bypass TRR.
The team used order, regularity, and strength parameters to design frequency-based Rowhammer attack patterns, which were then fed to the Blacksmith fuzzer to find working values. The Blacksmith fuzzer ran for 12 hours and produced optimal parameters for its attack, using which the researchers were able to perform bit flips on a 256 MB contiguous memory region.
To demonstrate that this is exploitable in a real-world scenario, the team conducted a test attack, successfully retrieving the public RSA-2048 key private key used to authenticate the SSH host.
Ultimately, the researchers corroborated the DRAM vendor’s claim that “Rowhammer is preventable and controllable”, and it turns out that all currently deployed mitigations are insufficient to fully protect against Rowhammer attacks. The new model shows that attackers can break into systems more easily than before. Comsec further found that while using ECC DRAM makes exploits more difficult, they are still not immune to all Rowhammer attacks.
DDR5 may be more secure
Currently, newer DDR5 DRAM modules are available on the market, and adoption will accelerate in the next few years. In DDR5, the Rowhammer exploit may not be a big deal, as TRR is replaced by “refresh management,” a system that tracks activations in banks and selectively refreshes when a threshold is reached. This means that large-scale fuzzing on DDR5 DRAM devices will be harder and potentially much less efficient, but that remains to be seen.