Rowhammer (also written as row hammer) is a computer security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times. [1] [2] [3]
The Rowhammer effect has been used in some privilege escalation computer security exploits, [2] [4] [5] [6] and network-based attacks are also theoretically possible. [7] [8]
Different hardware-based techniques exist to prevent the Rowhammer effect from occurring, including required support in some processors and types of DRAM memory modules. [9] [10]
In dynamic RAM (DRAM), each bit of stored data occupies a separate memory cell that is electrically implemented with one capacitor and one transistor. The charge state of a capacitor (charged or discharged) is what determines whether a DRAM cell stores "1" or "0" as a binary value. Huge numbers of DRAM memory cells are packed into integrated circuits, together with some additional logic that organizes the cells for the purposes of reading, writing, and refreshing the data. [11] [12]
Memory cells (blue squares in both illustrations) are further organized into matrices and addressed through rows and columns. A memory address applied to a matrix is broken into the row address and column address, which are processed by the row and column address decoders (in both illustrations, vertical and horizontal green rectangles, respectively). After a row address selects the row for a read operation (the selection is also known as row activation), bits from all cells in the row are transferred into the sense amplifiers that form the row buffer (red squares in both illustrations), from which the exact bit is selected using the column address. Consequently, read operations are of a destructive nature because the design of DRAM requires memory cells to be rewritten after their values have been read by transferring the cell charges into the row buffer. Write operations decode the addresses in a similar way, but as a result of the design entire rows must be rewritten for the value of a single bit to be changed. [1] : 2–3 [11] [12] [13]
As a result of storing data bits using capacitors that have a natural discharge rate, DRAM memory cells lose their state over time and require periodic rewriting of all memory cells, which is a process known as refreshing. [1] : 3 [11] As another result of the design, DRAM memory is susceptible to random changes in stored data, which are known as soft memory errors and attributed to cosmic rays and other causes. There are different techniques that counteract soft memory errors and improve the reliability of DRAM, of which error-correcting code (ECC) memory and its advanced variants (such as lockstep memory) are most commonly used. [14]
Increased densities of DRAM integrated circuits have led to physically smaller memory cells containing less charge, resulting in lower operational noise margins, increased rates of electromagnetic interactions between memory cells, and greater possibility of data loss. As a result, disturbance errors have been observed, being caused by cells interfering with each other's operation and manifesting as random changes in the values of bits stored in affected memory cells. The awareness of disturbance errors dates back to the early 1970s and Intel 1103 as the first commercially available DRAM integrated circuits; since then, DRAM manufacturers have employed various mitigation techniques to counteract disturbance errors, such as improving the isolation between cells and performing production testing. However, researchers proved in a 2014 analysis that commercially available DDR3 SDRAM chips manufactured in 2012 and 2013 are susceptible to disturbance errors, while using the term Rowhammer to name the associated side effect that led to observed bit flips. [1] [3] [15]
The opportunity for the Rowhammer effect to occur in DDR3 memory [16] is primarily attributed to DDR3's high density of memory cells and the results of associated interactions between the cells, while rapid DRAM row activations have been determined as the primary cause. Frequent row activations cause voltage fluctuations on the associated row selection lines, which have been observed to induce higher-than-natural discharge rates in capacitors belonging to nearby (adjacent, in most cases) memory rows, which are called victim rows; if the affected memory cells are not refreshed before they lose too much charge, disturbance errors occur. Tests show that a disturbance error may be observed after performing around 139,000 subsequent memory row accesses (with cache flushes), and that up to one memory cell in every 1,700 cells may be susceptible. Those tests also show that the rate of disturbance errors is not substantially affected by increased environment temperature, while it depends on the actual contents of DRAM because certain bit patterns result in significantly higher disturbance error rates. [1] [2] [15] [17]
A variant called double-sided hammering involves targeted activations of two DRAM rows surrounding a victim row: in the illustration provided in this section, this variant would be activating both yellow rows with the aim of inducing bit flips in the purple row, which in this case would be the victim row. Tests show that this approach may result in a significantly higher rate of disturbance errors, compared to the variant that activates only one of the victim row's neighboring DRAM rows. [4] [18] : 19–20 [19]
As DRAM vendors have deployed mitigations, patterns had to become more sophisticated to bypass Rowhammer mitigations. More recent Rowhammer patterns include non-uniform, frequency-based patterns. [20] These patterns consist of many double-sided aggressors pairs where each of them is hammered with a different frequency, phase, and amplitude. Using this and synchronizing patterns with the REFRESH command, it is possible to very effectively determine "blind spots" where the mitigation is not able to provide protection anymore. Based on this idea, academics built a Rowhammer fuzzer named Blacksmith [21] that can bypass existing mitigations on all DDR4 devices.
Different methods exist for more or less successful detection, prevention, correction or mitigation of the Rowhammer effect. Tests show that simple error correction code, providing single-error correction and double-error detection (SECDED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits per memory word. [1] : 8 [15] : 32 Furthermore, research shows that precisely targeted three-bit Rowhammer flips prevents ECC memory from noticing the modifications. [22] [23]
A less effective solution is to introduce more frequent memory refreshing, with the refresh intervals shorter than the usual 64 ms, [lower-alpha 1] but this technique results in higher power consumption and increased processing overhead; some vendors provide firmware updates that implement this type of mitigation. [24] One of the more complex prevention measures performs counter-based identification of frequently accessed memory rows and proactively refreshes their neighboring rows; another method issues additional infrequent random refreshes of memory rows neighboring the accessed rows regardless of their access frequency. Research shows that these two prevention measures cause negligible performance impacts. [1] : 10–11 [25]
Since the release of Ivy Bridge microarchitecture, Intel Xeon processors support the so-called pseudo target row refresh (pTRR) that can be used in combination with pTRR-compliant DDR3 dual in-line memory modules (DIMMs) to mitigate the Rowhammer effect by automatically refreshing possible victim rows, with no negative impact on performance or power consumption. When used with DIMMs that are not pTRR-compliant, these Xeon processors by default fall back on performing DRAM refreshes at twice the usual frequency, which results in slightly higher memory access latency and may reduce the memory bandwidth by up to 2–4%. [9]
The LPDDR4 mobile memory standard published by JEDEC [26] includes optional hardware support for the so-called target row refresh (TRR) that prevents the Rowhammer effect without negatively impacting performance or power consumption. [10] [27] [28] Additionally, some manufacturers implement TRR in their DDR4 products, [29] [30] although it is not part of the DDR4 memory standard published by JEDEC. [31] Internally, TRR identifies possible victim rows, by counting the number of row activations and comparing it against predefined chip-specific maximum activate count (MAC) and maximum activate window (tMAW) values, and refreshes these rows to prevent bit flips. The MAC value is the maximum total number of row activations that may be encountered on a particular DRAM row within a time interval that is equal or shorter than the tMAW amount of time before its neighboring rows are identified as victim rows; TRR may also flag a row as a victim row if the sum of row activations for its two neighboring rows reaches the MAC limit within the tMAW time window. [26] [32] Research showed that TRR mitigations deployed on DDR4 UDIMMs and LPDDR4X chips from devices produced between 2019 and 2020 are not effective in protecting against Rowhammer. [20]
Due to their necessity of huge numbers of rapidly performed DRAM row activations, Rowhammer exploits issue large numbers of uncached memory accesses that cause cache misses, which can be detected by monitoring the rate of cache misses for unusual peaks using hardware performance counters. [4] [33]
Version 5.0 of the MemTest86 memory diagnostic software, released on December 3, 2013, added a Rowhammer test that checks whether computer RAM is susceptible to disturbance errors, but it only works if the computer boots UEFI; without UEFI, it boots an older version with no hammer test. [34]
Memory protection, as a way of preventing processes from accessing memory that has not been assigned to each of them, is one of the concepts behind most modern operating systems. By using memory protection in combination with other security-related mechanisms such as protection rings, it is possible to achieve privilege separation between processes, in which programs and computer systems in general are divided into parts limited to the specific privileges they require to perform a particular task. Using privilege separation can also reduce the extent of potential damage caused by computer security attacks by restricting their effects to specific parts of the system. [35] [36]
Disturbance errors (explained in the section above) effectively defeat various layers of memory protection by "short circuiting" them at a very low hardware level, practically creating a unique attack vector type that allows processes to alter the contents of arbitrary parts of the main memory by directly manipulating the underlying memory hardware. [2] [4] [18] [37] In comparison, "conventional" attack vectors such as buffer overflows aim at circumventing the protection mechanisms at the software level, by exploiting various programming mistakes to achieve alterations of otherwise inaccessible main memory contents. [38]
hammer:mov(X),%eax// read from address Xmov(Y),%ebx// read from address Yclflush(X)// flush cache for address Xclflush(Y)// flush cache for address Yjmphammer |
A snippet of x86 assembly code that induces the row hammer effect (memory addresses X and Y must map to different DRAM rows in the same memory bank) [1] : 3 [4] [18] : 13–15 |
The initial research into the Rowhammer effect, published in June 2014, described the nature of disturbance errors and indicated the potential for constructing an attack, but did not provide any examples of a working security exploit. [1] A subsequent October 2014 research paper did not imply the existence of any security-related issues arising from the Rowhammer effect. [16]
On March 9, 2015, Google's Project Zero revealed two working privilege escalation exploits based on the Rowhammer effect, establishing its exploitable nature on the x86-64 architecture. One of the revealed exploits targets the Google Native Client (NaCl) mechanism for running a limited subset of x86-64 machine instructions within a sandbox, [18] : 27 exploiting the Rowhammer effect to escape from the sandbox and gain the ability to issue system calls directly. This NaCl vulnerability, tracked as CVE - 2015-0565, has been mitigated by modifying the NaCl so it does not allow execution of the clflush
(cache line flush [39] ) machine instruction, which was previously believed to be required for constructing an effective Rowhammer attack. [2] [4] [37]
The second exploit revealed by Project Zero runs as an unprivileged Linux process on the x86-64 architecture, exploiting the Rowhammer effect to gain unrestricted access to all physical memory installed in a computer. By combining the disturbance errors with memory spraying, this exploit is capable of altering page table entries [18] : 35 used by the virtual memory system for mapping virtual addresses to physical addresses, which results in the exploit gaining unrestricted memory access. [18] : 34, 36–57 Due to its nature and the inability of the x86-64 architecture to make clflush
a privileged machine instruction, this exploit can hardly be mitigated on computers that do not use hardware with built-in Rowhammer prevention mechanisms. While testing the viability of exploits, Project Zero found that about half of the 29 tested laptops experienced disturbance errors, with some of them occurring on vulnerable laptops in less than five minutes of running row-hammer-inducing code; the tested laptops were manufactured between 2010 and 2014 and used non-ECC DDR3 memory. [2] [4] [37]
In July 2015, a group of security researchers published a paper that describes an architecture- and instruction-set-independent way for exploiting the Rowhammer effect. Instead of relying on the clflush
instruction to perform cache flushes, this approach achieves uncached memory accesses by causing a very high rate of cache eviction using carefully selected memory access patterns. Although the cache replacement policies differ between processors, this approach overcomes the architectural differences by employing an adaptive cache eviction strategy algorithm. [18] : 64–68 The proof of concept for this approach is provided both as a native code implementation, and as a pure JavaScript implementation that runs on Firefox 39. The JavaScript implementation, called Rowhammer.js, [40] uses large typed arrays and relies on their internal allocation using large pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability. [41] [42] [43] [44]
In October 2016, researchers published DRAMMER, an Android application that uses Rowhammer, together with other methods, to reliably gain root access on several popular smartphones. [45] The vulnerability was acknowledged as CVE - 2016-6728 [46] and a mitigation was released by Google within a month. However, due to the general nature of possible implementations of the attack, an effective software patch is difficult to be reliably implemented. As of June 2018, most patch proposals made by academia and industry were either impractical to deploy or insufficient in stopping all attacks. As a mitigation, researchers proposed a lightweight defense that prevents attacks based on direct memory access (DMA) by isolating DMA buffers with guard rows. [47] [48]
In May 2021, a Google research team announced a new exploit, Half-Double that takes advantage of the worsening physics of some of the newer DRAM chips. [49]
In March 2024, a group of researchers at ETH Zürich announced ZenHammer, a rowhammer exploit for AMD Zen chips, and also announced the first use of rowhammer to exploit DDR5 SDRAM. [50] [51]
In June 2024, a group of researchers at ETH Zürich announced RISC-H, a rowhammer exploit for RISC-V chips, this is the first Rowhammer study on RISC-V. [52]
Double Data Rate Synchronous Dynamic Random-Access Memory is a double data rate (DDR) synchronous dynamic random-access memory (SDRAM) class of memory integrated circuits used in computers. DDR SDRAM, also retroactively called DDR1 SDRAM, has been superseded by DDR2 SDRAM, DDR3 SDRAM, DDR4 SDRAM and DDR5 SDRAM. None of its successors are forward or backward compatible with DDR1 SDRAM, meaning DDR2, DDR3, DDR4 and DDR5 memory modules will not work on DDR1-equipped motherboards, and vice versa.
Dynamic random-access memory is a type of random-access semiconductor memory that stores each bit of data in a memory cell, usually consisting of a tiny capacitor and a transistor, both typically based on metal–oxide–semiconductor (MOS) technology. While most DRAM memory cell designs use a capacitor and transistor, some only use two transistors. In the designs where a capacitor is used, the capacitor can either be charged or discharged; these two states are taken to represent the two values of a bit, conventionally called 0 and 1. The electric charge on the capacitors gradually leaks away; without intervention the data on the capacitor would soon be lost. To prevent this, DRAM requires an external memory refresh circuit which periodically rewrites the data in the capacitors, restoring them to their original charge. This refresh process is the defining characteristic of dynamic random-access memory, in contrast to static random-access memory (SRAM) which does not require data to be refreshed. Unlike flash memory, DRAM is volatile memory, since it loses its data quickly when power is removed. However, DRAM does exhibit limited data remanence.
Synchronous dynamic random-access memory is any DRAM where the operation of its external pin interface is coordinated by an externally supplied clock signal.
A DIMM, or Dual In-Line Memory Module, is a popular type of memory module used in computers. It is a printed circuit board with one or both sides holding DRAM chips and pins. The vast majority of DIMMs are standardized through JEDEC standards, although there are proprietary DIMMs. DIMMs come in a variety of speeds and sizes, but generally are one of two lengths: PC, which are 133.35 mm (5.25 in), and laptop (SO-DIMM), which are about half the size at 67.60 mm (2.66 in).
Double Data Rate 2 Synchronous Dynamic Random-Access Memory is a double data rate (DDR) synchronous dynamic random-access memory (SDRAM) interface. It is a JEDEC standard (JESD79-2); first published in September 2003. DDR2 succeeded the original DDR SDRAM specification, and was itself succeeded by DDR3 SDRAM in 2007. DDR2 DIMMs are neither forward compatible with DDR3 nor backward compatible with DDR.
In computing, double data rate (DDR) describes a computer bus that transfers data on both the rising and falling edges of the clock signal and hence doubles the memory bandwidth by transferring data twice per clock cycle. This is also known as double pumped, dual-pumped, and double transition. The term toggle mode is used in the context of NAND flash memory.
Semiconductor memory is a digital electronic semiconductor device used for digital data storage, such as computer memory. It typically refers to devices in which data is stored within metal–oxide–semiconductor (MOS) memory cells on a silicon integrated circuit memory chip. There are numerous different types using different semiconductor technologies. The two main types of random-access memory (RAM) are static RAM (SRAM), which uses several transistors per memory cell, and dynamic RAM (DRAM), which uses a transistor and a MOS capacitor per cell. Non-volatile memory uses floating-gate memory cells, which consist of a single floating-gate transistor per cell.
In computing, serial presence detect (SPD) is a standardized way to automatically access information about a memory module. Earlier 72-pin SIMMs included five pins that provided five bits of parallel presence detect (PPD) data, but the 168-pin DIMM standard changed to a serial presence detect to encode more information.
Double Data Rate 3 Synchronous Dynamic Random-Access Memory is a type of synchronous dynamic random-access memory (SDRAM) with a high bandwidth interface, and has been in use since 2007. It is the higher-speed successor to DDR and DDR2 and predecessor to DDR4 synchronous dynamic random-access memory (SDRAM) chips. DDR3 SDRAM is neither forward nor backward compatible with any earlier type of random-access memory (RAM) because of different signaling voltages, timings, and other factors.
Memory refresh is a process of periodically reading information from an area of computer memory and immediately rewriting the read information to the same area without modification, for the purpose of preserving the information. Memory refresh is a background maintenance process required during the operation of semiconductor dynamic random-access memory (DRAM), the most widely used type of computer memory, and in fact is the defining characteristic of this class of memory.
A memory controller, also known as memory chip controller (MCC) or a memory controller unit (MCU), is a digital circuit that manages the flow of data going to and from a computer's main memory. When a memory controller is integrated into another chip, such as an integral part of a microprocessor, it is usually called an integrated memory controller (IMC).
In computing, a memory module or RAM stick is a printed circuit board on which memory integrated circuits are mounted.
G.SKILL International Enterprise is a Taiwanese computer hardware manufacturing company. The company's target customers are overclocking computer users. It produces a variety of high-end PC products and is best known for its DRAM products.
Double Data Rate 4 Synchronous Dynamic Random-Access Memory is a type of synchronous dynamic random-access memory with a high bandwidth interface.
Random-access memory is a form of electronic computer memory that can be read and changed in any order, typically used to store working data and machine code. A random-access memory device allows data items to be read or written in almost the same amount of time irrespective of the physical location of data inside the memory, in contrast with other direct-access data storage media, where the time required to read and write data items varies significantly depending on their physical locations on the recording medium, due to mechanical limitations such as media rotation speeds and arm movement.
Low-Power Double Data Rate (LPDDR), also known as LPDDR SDRAM, is a type of synchronous dynamic random-access memory that consumes less power than other random access memory designs and is thus targeted for mobile computing devices such as laptop computers and smartphones. Older variants are also known as Mobile DDR, and abbreviated as mDDR.
GDDR3 SDRAM is a type of DDR SDRAM specialized for graphics processing units (GPUs) offering less access latency and greater device bandwidths. Its specification was developed by ATI Technologies in collaboration with DRAM vendors including Elpida Memory, Hynix Semiconductor, Infineon and Micron. It was later adopted as a JEDEC standard.
A NVDIMM or non-volatile DIMM is a type of persistent random-access memory for computers using widely used DIMM form-factors. Non-volatile memory is memory that retains its contents even when electrical power is removed, for example from an unexpected power loss, system crash, or normal shutdown. Properly used, NVDIMMs can improve application performance and system crash recovery time. They enhance solid-state drive (SSD) endurance and reliability.
Double Data Rate 5 Synchronous Dynamic Random-Access Memory is a type of synchronous dynamic random-access memory. Compared to its predecessor DDR4 SDRAM, DDR5 was planned to reduce power consumption, while doubling bandwidth. The standard, originally targeted for 2018, was released on July 14, 2020.
UniDIMM is a specification for dual in-line memory modules (DIMMs), which are printed circuit boards (PCBs) designed to carry dynamic random-access memory (DRAM) chips. UniDIMMs can be populated with either DDR3 or DDR4 chips, with no support for any additional memory control logic; as a result, the computer's memory controller must support both DDR3 and DDR4 memory standards. The UniDIMM specification was created by Intel for its Skylake microarchitecture, whose integrated memory controller (IMC) supports both DDR3 and DDR4 memory technologies.
InfoWorld
, March 9, 2015, by Serdar Yegulalp