Thursday, December 5, 2024
Homecyber securityZENHAMMER - First Rowhammer Attack Impacting Zen-based AMD Platforms

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Published on

SIEM as a Service

Despite AMD’s growing market share with Zen CPUs, Rowhammer attacks were absent due to challenges in reverse engineering DRAM addressing, synchronizing with refresh commands, and achieving sufficient row activation throughput. 

Researchers addressed these through ZENHAMMER, the first Rowhammer attack on recent AMD CPUs.

ZENHAMMER reverse engineers non-linear addressing uses crafted access patterns for synchronization, and schedules instructions carefully to increase throughput while bypassing mitigations. 

- Advertisement - SIEM as a Service

Evaluations demonstrated ZENHAMMER finding bit flips on 7 out of 10 DDR4 devices on Zen 2/3 CPUs, enabling Rowhammer exploitation on current AMD platforms.

Besides this, it also triggered the first Rowhammer bit flips on a DDR5 device.

ZENHAMMER – First Rowhammer Attack

There have been cases of recent Rowhammer attacks that were used to bypass in-DRAM mitigations on Intel CPUs by exploiting particular architectural details, though such attacks have not been recorded against modern AMD Zen microarchitecture CPUs.

 However, several crucial aspects including physical-to-DRAM address mapping, DRAM command observability, and memory instructions behavior on AMD platforms through extensive experiments were discovered. 

Researchers used this information to design ZENHAMMER, it’s the first-ever successful Rowhammer attack against AMD Zen CPUs.

The goal of the researchers was to trigger bit flips on AMD Zen platforms using DDR4 memory, allowing comparison with well-studied Intel systems. 

A crucial requirement for effective Rowhammer is knowledge of the DRAM address mapping from physical addresses to DRAM locations, enabling precise attacker row selection. 

Since AMD and Intel memory controllers use different mappings, determining the AMD mapping posed the researchers’ first key challenge in constructing a Rowhammer attack on these platforms.

While Intel systems have all DRAM-adding bits within the lower 21 bits, AMD Zen systems utilize up to 34 bits, making exploitation challenging without knowing these bits. 

Experts describe a technique combining the bank conflict side channel with reverse-engineered DRAM mappings to detect consecutive same-bank rows crucial for Rowhammer. 

By coloring 2MB transparent huge pages (THPs) based on bank conflicts and using known address functions on the lower 21 bits, experts can identify same-bank rows within each THP color. 

On a Zen 3 system, THP coloring takes around 39 seconds per attack, while detecting same-bank rows is a one-time 18ms cost per memory configuration.

The evaluation results reveal how well ZENHAMMER’s optimizations for causing bit flips on AMD Zen 2 and Zen 3 processors work as compared to the earlier methods. 

By refining hammering instruction sequences and fence scheduling policies, ZENHAMMER dramatically raised the number of devices showing bit flips and the patterns that triggered them, particularly in the case of Zen 3 where no bit flips were reported before. 

In comparison with Intel Coffee Lake on some devices, ZENHAMMER was less effective though its optimizations have shown themselves more powerful for some DIMMs even exceeding Coffee Lake’s best-performance bit flip counts. 

These findings indicate that successful Rowhammer attacks require platform-specific optimizations beyond just increasing activation rates.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...