Saturday, April 13, 2024

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD’s growing market share with Zen CPUs, Rowhammer attacks were absent due to challenges in reverse engineering DRAM addressing, synchronizing with refresh commands, and achieving sufficient row activation throughput. 

Researchers addressed these through ZENHAMMER, the first Rowhammer attack on recent AMD CPUs.

ZENHAMMER reverse engineers non-linear addressing uses crafted access patterns for synchronization, and schedules instructions carefully to increase throughput while bypassing mitigations. 

Evaluations demonstrated ZENHAMMER finding bit flips on 7 out of 10 DDR4 devices on Zen 2/3 CPUs, enabling Rowhammer exploitation on current AMD platforms.

Besides this, it also triggered the first Rowhammer bit flips on a DDR5 device.

ZENHAMMER – First Rowhammer Attack

There have been cases of recent Rowhammer attacks that were used to bypass in-DRAM mitigations on Intel CPUs by exploiting particular architectural details, though such attacks have not been recorded against modern AMD Zen microarchitecture CPUs.

 However, several crucial aspects including physical-to-DRAM address mapping, DRAM command observability, and memory instructions behavior on AMD platforms through extensive experiments were discovered. 

Researchers used this information to design ZENHAMMER, it’s the first-ever successful Rowhammer attack against AMD Zen CPUs.

The goal of the researchers was to trigger bit flips on AMD Zen platforms using DDR4 memory, allowing comparison with well-studied Intel systems. 

A crucial requirement for effective Rowhammer is knowledge of the DRAM address mapping from physical addresses to DRAM locations, enabling precise attacker row selection. 

Since AMD and Intel memory controllers use different mappings, determining the AMD mapping posed the researchers’ first key challenge in constructing a Rowhammer attack on these platforms.

While Intel systems have all DRAM-adding bits within the lower 21 bits, AMD Zen systems utilize up to 34 bits, making exploitation challenging without knowing these bits. 

Experts describe a technique combining the bank conflict side channel with reverse-engineered DRAM mappings to detect consecutive same-bank rows crucial for Rowhammer. 

By coloring 2MB transparent huge pages (THPs) based on bank conflicts and using known address functions on the lower 21 bits, experts can identify same-bank rows within each THP color. 

On a Zen 3 system, THP coloring takes around 39 seconds per attack, while detecting same-bank rows is a one-time 18ms cost per memory configuration.

The evaluation results reveal how well ZENHAMMER’s optimizations for causing bit flips on AMD Zen 2 and Zen 3 processors work as compared to the earlier methods. 

By refining hammering instruction sequences and fence scheduling policies, ZENHAMMER dramatically raised the number of devices showing bit flips and the patterns that triggered them, particularly in the case of Zen 3 where no bit flips were reported before. 

In comparison with Intel Coffee Lake on some devices, ZENHAMMER was less effective though its optimizations have shown themselves more powerful for some DIMMs even exceeding Coffee Lake’s best-performance bit flip counts. 

These findings indicate that successful Rowhammer attacks require platform-specific optimizations beyond just increasing activation rates.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles