Rowhammer reach extended for new attack method

Google researchers have uncovered a new variation on the Rowhammer hardware attack that enables an adversary to flip transistor states from further distances than previously thought possible.

The new take on Rowhammer, dubbed "Half-Double," shows how an attacker can turn a targeted transistor to an on or off state by repeatedly flipping transistors from one and two rows over. In the security world, this poses a significant risk because it allows a "no" to become a "yes" at the lowest hardware level. An attacker could, in theory, tamper with write permissions or account access of a system as long as they had extensive knowledge of their target's architecture and enough local access to send repeated commands to memory.

While Rowhammer has been public knowledge since 2014, previous studies have only shown the phenomena to be possible from adjacent rows. The current security measures against attacks are based on that assumption, so the Google team's findings could throw a wrench into current-generation protections.

The culprit in this case is not a novel attack technique or a research breakthrough by hackers, but the progress chipmakers have made in recent years to shrink their manufacturing processes.

As chip designs have become smaller and more compact to get additional transistors into a single dye, the distance between the transistors has grown even smaller. Rows of transistors that were normally distanced far enough apart so as to not interfere with one another can now influence the state of their neighbors.

"Using Half-Double, we were able to induce errors on commercial systems using recent generations of DRAM chips, but not with older ones," the Google researchers explained. "This is likely an indication that coupling is becoming stronger and longer-ranged as cell geometries shrink down."

The Google researchers discovered that with the transistors packed in so tightly together on current DDR4 memory chips, the bulk of the resets needed for a Rowhammer coupling can now be conducted from two rows over rather than just one. In its research, the Google team used three different DDR4 designs from an unnamed vendor and its own in-house field-programmable gate array hardware.

By conducting thousands of switches from two rows over, then following that up with dozens on the next row to the target, the researchers were able to switch the state of the targeted bit.

"It is based on our discovery of weak coupling between two rows that are not immediately adjacent to each other by one row removed," the Google team wrote. "While such weak coupling by itself is not viable for an attack, we further discovered that its effect can be amplified with just a handful of accesses (dozens) to the immediate neighbor."

The coupling effect from two rows over is important because current security designs isolate bits when they detect extremely high volumes of state changes in adjacent rows of transistors.

Because only several dozen flips were conducted in the adjacent row, the procedure does not trigger the security measures that would spot a Rowhammer attack and protect the targeted rows.

Perhaps worse, the technique will likely not only continue to work with new and upcoming chip designs, but could become even more effective in future memory chip designs because the coupling will likely be possible from even more lines away.

In short, the protections currently in place for Rowhammer are no longer effective. And given the rate of progress in chip fabrication methods, the threat will likely only increase in the coming years. As a result, Google said, companies designing DRAM chips for system-on-a chip technology and system memory will need to rethink how they can spot and stop possible Rowhammer attacks.

"A DRAM vendor should test a mix of hammering distances rather than only testing at individual distances," the Google team wrote.

"In other words, hammering a single row or pair of sandwiching rows on the raw medium will not show this effect," they wrote. "Instead, pairs of rows on one or both sides of an intended victim need to be hammered."