A 'ZenHammer' attack has been discovered that causes problems by interfering with the DRAM of devices equipped with AMD Zen processors. Is it a variant of the 'Rowhammer' attack?



It has long been known that there is a '

Rowhammer attack ' that interferes with DRAM memory cells and intentionally causes defects, and a protection function called 'TRR (Target Row Refresh)' has been introduced to DDR4 memory as a countermeasure. However, it has been pointed out that even that TRR may be broken. Security researchers have discovered a new ZenHammer variant that also affects memory running on devices equipped with AMD Zen-based CPUs, which were previously thought to be less vulnerable to Rowhammer attacks. Ta.

ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms - zenhammer_sec24.pdf
https://comsec.ethz.ch/wp-content/files/zenhammer_sec24.pdf

ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms - Computer Security Group
https://comsec.ethz.ch/research/dram/zenhammer/

New ZenHammer memory attack impacts AMD Zen CPUs
https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-impacts-amd-zen-cpus/

A Rowhammer attack is an attack method that exploits the physical characteristics of DRAM and repeatedly interferes with (hammers) specific areas of memory cells through read and write operations to alter data.

Memory cells store information by converting internal bit values into charges of 1 or 0, but in rare cases, the charge state of adjacent columns may change due to interference (bit inversion). Due to the high density of memory cells in modern chips, the frequency of bit flips is increasing, making it easier for Rowhammer attacks to intentionally cause defects. By inducing bit flips in specific areas, an attacker can access sensitive data or escalate privileges.

Although this attack has been demonstrated on Intel and Arm chips, it was generally believed that chips based on AMD's Zen architecture were unlikely to be realized due to the difficulty of analysis.

However, researchers at ETH Zurich have discovered a new attack method called ``ZenHammer'' that causes Rowhammer attacks on DDR4 memory on devices equipped with AMD Zen 2 and Zen 3 CPUs, and the attack has also been demonstrated on Zen architecture chips. I found out that it was done.



Researchers at ETH Zurich reverse engineered AMD's technology, which was previously thought to be less vulnerable, and found that bit flipping could also occur in DDR4 memory on devices with AMD Zen 2 and Zen 3 CPUs. I guessed that there was. When conducting attack tests based on this, it was successful on 7 out of 10 Zen 2-equipped devices and 6 out of 10 Zen 3-equipped devices.

Furthermore, when they reverse engineered AMD Zen 4's DRAM functionality and tested the ZenHammer attack on 10 devices equipped with DDR5 memory, they were able to cause a bit flip on one device. This is said to be the first public report of bit flipping occurring in DDR5, but researchers admitted that they were unable to cause bit flipping in 9 out of 10 devices, indicating that DDR5 memory is vulnerable. We conclude that further research is needed to find out.



The researchers said, ``These results prove that AMD systems are just as vulnerable to Rowhammer as Intel systems, and that AMD's market share in today's x86 desktop CPUs is approximately 36%.'' 'This significantly increases the attack surface. This poses a significant risk as unchecked DRAM cannot be easily remediated.'

After receiving the report from the researchers, AMD said , ``We are reviewing the study and will update you once it is complete.''

Related Posts:

in Hardware,   Security, Posted by log1p_kr