14 DAY TRIAL // Scientists have demonstrated how to use the Rowhammer attack (sometimes spelled Row Hammer) to flip bits in DDR4-based memory chips, a technique that can be used to leak or alter the content of a device's DRAM.
The Rowhammer attack came to light in 2014, after researchers from Carnegie Mellon University proved that sending a barrage of 0s and 1s at a DRAM component, and more specifically at the same memory address, could cause electrical interferences that would affect nearby memory rows.
In March 2015, Google researchers put the attack into an exploit and demonstrated its capabilities. The attack was novel nevertheless, still in its infancy, and it sparked further research on the topic, which was published in late July of the same year by different researchers.
This second study revealed new ways to carry out the attacks via JavaScript, and the scientists discovered that almost all recent DRAM DDR3 chips were vulnerable to their technique.
DDR4 memory chips are also vulnerable
New research published this March by Mark Lanteigne, CTO and Founder, Third I/O Inc., a company that specializes in high-speed bandwidth and supercomputing technologies, has now proven that, by altering the methods used to conduct Rowhammer tests, the attack can also be efficient against newer DDR4 chips.
To carry out their tests, researchers used an internal tool called Memesis, which they developed for use inside the company, to test the high-speed SSDs the company was selling.
While early Rowhammer attacks had researchers send consecutive 0s and 1s at a memory chip, Third I/O took a different approach and funneled data at the DDR4 chip in various patterns, which also proved to cause electrical interferences in the memory chip.
Attack relies on "killer" data patterns
This small alteration in how the attack was carried out allowed the researcher to bypass security measures put in newer DDR3 and even DDR4 chips.
Third I/O even discovered what they called "killer" data patterns, which they can throw at the DDR4 chips to weaken their defenses. Their paper details one of them, which is the numbers 492 (hex format), sent in a large succession. This translates to binary code as a never-ending string made up of 010.
"We found that the killer data pattern was finding approximately 50% more errors than our default random pattern. We found this remarkable as this system even has a setting labeled 'Memory Scrambling Enabled,'" Third I/O explained. "Because this system contains the latest processor and memory technologies, we were fully expecting random data patterns to be our best case scenario."
The scientists tested their attack successfully on DDR3 chips created and sold by Micron and Crucial Ballistix. DDR4 modules sold by G.Skill and Geil Super proved to be resilient to this attack, at least in the four-hour span required for the experiment to be performed.
During their research, Third I/O says that they were in contact with Daniel Gruss, the author of the second study on Rowhammer, who shared information that some of the JavaScript-based Rowhammer tests also started paying results against newer DDR4 chips.