Skip to content Skip to footer

New ZenHammer Attack Exploits AMD Zen 2 and Zen 3 Systems

researchers from ETH Zurich have developed a new variant of the RowHammer DRAM attack. This variant, known as ZenHammer, can successfully target Zen 2 and Zen 3 systems despite implementing mitigations such as Target Row Refresh (TRR). This is significant because it proves that systems are just as vulnerable to Rowhammer as Intel systems. Given 's current market share of around 36% on x86 desktop CPUs, this dramatically increases the attack surface.

The RowHammer attack was publicly disclosed in 2014 and DRAM's memory cell architecture to alter data. By repeatedly accessing a specific row, known as “hammering,” a cell's electrical charge can leak to adjacent cells, causing random bit flips in neighboring memory rows. This can alter the memory contents and potentially facilitate privilege escalation, compromising confidentiality, integrity, and system availability.

The attacks are possible because of the physical proximity of these cells within the memory array, and this problem is likely to worsen as DRAM scales and storage density increases. As DRAM continues to scale, RowHammer bit flips can occur at more minor activation counts. Thus, a benign workload's DRAM row activation rates can approach or exceed the RowHammer threshold, leading to data corruption or significant performance degradation.

DRAM manufacturers have implemented mitigations against RowHammer, such as TRR, which refreshes target rows determined to be accessed frequently. However, ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the secret DRAM address functions in systems. It also adopts improved refresh synchronization and scheduling of flushing and fencing instructions to trigger bit flips on seven out of 10 sample Zen 2 devices and six out of 10 Zen 3 devices.

The study also arrived at an optimal hammering instruction sequence to improve row activation rates and facilitate more effective hammering. The researchers found that regular loads (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued immediately after accessing an aggressor (“scatter” style), are optimal.

ZenHammer is the first method to trigger bit flips on systems equipped with DDR5 chips on 's Zen 4 microarchitectural platform. However, it only works on one of the 10 tested devices (Ryzen 7 7700X). This is noteworthy because DDR5 DRAM modules were previously considered immune to RowHammer attacks because they replaced TRR with a new kind of protection called refresh management.

In summary, the development of ZenHammer highlights the continued vulnerability of DRAM to RowHammer attacks despite manufacturers' implementation of mitigations. The researchers suggest that more work is needed better to understand the potentially new RowHammer on DDR5 devices and to effective countermeasures.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I knew you'd escape. They haven't built a circuit that could hold you!Yori

Deitasoft © 2024. All Rights Reserved.