Researchers Demo Blacksmith Rowhammer Slamming Through DDR4 Security Wall, Is DDR5 Safe?
In computer security, "cracking" systems is all about gaining access where you aren't supposed to have it. One of the most definitive ways to do this is by "pwning"—or "taking control of"—a system's main memory interface. Normally, doing so requires physical access to the system, but security researchers have demonstrated time and again that it's possible to pilfer or modify secure data in DRAM through variations on the "Rowhammer" exploit.
For those who aren't familiar, Rowhammer is the general name for a class of exploits that involves performing particular patterns of accesses to specific physical regions of memory in order to trigger unwanted behavior in nearby cells, including bit flips. Rowhammer itself isn't new, and in fact most modern DRAM devices include some measure of protection against it. As it happens, though, those measures may not offer much protection at all.
Way back in March of last year, COMSEC, a group of researchers from ETH Zurich, demonstrated that "Target Row Refresh," the most common specific mitigation against Rowhammer, wasn't completely effective. At that time, the group was able to show that 13 out of 43 DIMMs that they tested were still vulnerable to Rowhammer attacks.
Well now, that same group has released example code for a tool it calls Blacksmith. Blacksmith is a "fuzzer" that, according to COMSEC, can bypass Rowhammer TRR protections on every single DDR4 DIMM that they've tested. That includes devices with ECC protection, too.
Essentially, Blacksmith works the same way as previous Rowhammer attacks. The key difference in this case seems to be the focus on manipulating specific parameters of the accesses, particularly the frequency. Blacksmith itself, when fed certain values, is apparently capable of finding the correct parameters for targeting a specific device.
Used properly, the attack can cause bit flips in adjacent cells, which can cause all kinds of havoc in a system. COMSEC demonstrated Blacksmith's usefulness by performing three attacks with the method: changing a page table entry to point to an attacker-controlled memory page, recovering an RSA-2048-encrypted SSH private key, and gaining root privileges on a system by attacking the password verification logic of sudoers.so.
The authors of the app have a FAQ section toward the end of the announcement where they note that as far as they are aware, no DDR4 DIMMs are safe from Rowhammer at this time, not even ECC modules. They did find that some modules are more vulnerable than others, though. They also noted that they believe the reason JEDEC hasn't taken a stronger stance against Rowhammer attacks is because of internal bureaucracy.
Still, DDR5 memory may naturally be better off against Rowhammer-type attacks due to characteristics of its design. Unlike DDR4, where Target Row Refresh was somewhat "retrofitted" into the technology, DDR5 uses a system called "refresh management" that tracks bank activations and calls selective refreshes where necessary. In combination with DDR5's more robust error correction, that could mean that these types of attacks become unviable, or at least less practical.
If you're curious to see if you're vulnerable to Blacksmith, you can download the example code from COMSEC's Github and try it for yourself.
