Security specialists from Switzerland discovered a new type of attack on DRAM that there is no protection against today. Although the new attack has not yet been implemented as an exploit and has not yet been used by attackers, memory manufacturers must urgently look for protection, otherwise it will be too late.
Researchers at ETH Zurich led by Professor Onur Mutlu investigated so-called read error attacks on DRAM modules. The data in the cells can be influenced both by natural causes, for example the penetration of high-energy cosmic particles, and by specially organized influences. And if you can deal with natural phenomena and learn to counteract them using error-correcting codes, then it is much more difficult to resist malicious influences.
In 2015, researchers spoke scientifically for the first time about the possibility of targeted and indirect changes to data in memory cells. The attack was called RowHammer. As the name suggests, a series of queries were executed on a specific row in a memory bank, causing data in neighboring cells to change.
The attack mechanism was based on the fact that certain memory cells were so overloaded with requests that the leakage currents caused by these processes changed the charges in physically nearby cells. For example, it was possible to attack protected memory areas without accessing them directly. It was later demonstrated how the RowHammer attack could be used to steal 2048-bit RSA keys from a protected area.
Manufacturers have taken measures to protect against RowHammer attacks. In particular, the memory of the DDR4 generation has a kind of counter for the number of accesses to a row – Target Row Refresh or TRR technology, which, when a certain threshold is exceeded, overwrites cells in neighboring rows if a bit is damaged in one of the rows the cells. And although a variant of the RowHammer attack that overcomes TRR protection was introduced in 2021, this mechanism generally protects against a wide range of such attacks.
A new type of RowPress attack puts an end to all previous methods of protecting against malicious modification of data in DRAM memory cells. It is based on a completely different principle and is therefore dangerous. Instead of a long series of attacker line activations like RowHammer does, the RowPress attack simply holds the string open for more than a certain amount of time. However, the result is the same: the victim string, which is not directly affected in any way, changes the state of the memory cells in the way the attacker needs.
Researchers emphasize that there are no ready-made recipes for a RowPress-based attack. However, the ability to use them to change data in DRAM cells opens up a window of opportunity that an attacker will sooner or later penetrate.
The main problem is that the RowPress attack is more cost-effective than RowHammer. To run it – to change data in the victim rows – requires 10-100 times fewer activations than using RowHammer. This type of attack is much more difficult to detect. To combat this, the researchers say proprietary circuit solutions are needed that will reduce average DRAM performance by at least 2% and much more across a range of applications.
Are manufacturers willing to make such sacrifices? Samsung responded that it was exploring the possibility of protecting DDR4 memory modules from a new type of attack. Micron and SK Hynix did not comment at the time of writing.
Researchers analyzed 164 modern computer memory modules and found that all were vulnerable to the RowPress vulnerability to some degree. This is a completely new mechanism for influencing memory, which, when combined with the RowHammer attack, expands the list and range of threats. Combined, RowPress and RowHammer promise to be very, very dangerous. It also turned out that the higher the temperature of the DRAM chips, the easier the RowPress attack is. After all, the more sophisticated the technical processes for producing memory modules, the easier the RowPress attack is.
In theory, you can protect yourself from RowPress by simply reducing the time allowed to open a row. Researchers have shown that this time should not exceed 30 ms. If the line remains open for longer than this time, at least one bit flip will occur. Memory manufacturers must empirically determine the optimal length of time to open a row so that it does not significantly impact DRAM performance and does not result in a RowPress attack.