Group of researchers from the Swiss Higher Technical School Zurich, Amsterdam Free University and the company Qualcomm Posted New Attack method Rowhammer class, which allows you to change the contents of individual dynamic memory bits (DRAM). The attack is assigned the BlackSmith code name and the CVE-2021-42114 identifier. The problem is subject to many DDR4 chips, equipped with previously known Rowhammer class methods. Tools for testing its systems for the vulnerability of Published on GitHub.
Recall that Rowhammer class attacks allow you to distort the contents of individual memory bits by cyclical reading data from neighboring memory cells. Since the DRAM memory is a two-dimensional array of cells, each of which consists of a condenser and transistor, the implementation of the continuous reading of the same memory area leads to voltage fluctuations and anomalies that causes a small charge loss of adjacent cells. If the reading intensity is large, then the adjacent cell can lose a sufficiently large amount of charge and the next regeneration cycle will not have time to restore its original state, which will change the value of the value stored in the data cell.
To protect against Rowhammer, chip manufacturers suggested a TRR mechanism (target Row Refresh), which protects against distortion of cells in adjacent lines, but since the defense was based on the principle “Security through an ambiguity (Security by Obscurity), she did not solve the problem in the root , and defended only from well-known special cases, which made it easy to find ways to circumvent protection. For example, in May, Google proposed the Half-Double method to which the TRR is not in force, since the attacks were affected by cells that are not directly adjacent to the target.
The new BlackSmith method offers a different way to upload trr, based on inhomogeneous handling of different frequency to two or more strings-aggressors to call the charge leakage. To determine the memory treatment template, leading the charge in the flow occurrence, a special Fuzzer has been developed, automatically selecting the attack parameters for a particular chip, varying the order, intensity and systematic of circulating cells.
A similar campaign that does not associated with the same cells makes ineffective current TRR protection methods, which in one or another are reduced to the calculation of the number of recurring calls to cells and when certain quantities are initiated to initiate recharge adjacent cells. In the BlackSmith, the access template is smeared immediately into several cells from different sides from the target, which allows you to achieve charge leakage without reaching thresholds.