Google has introduced "Half-Double", a new RowHammer-class attack technique that allows you to change the contents of individual bits of dynamic random-access memory (DRAM). The attack is reproduced on some modern DRAM chips, whose manufacturers have achieved a reduction in cell geometry.
Recall that attacks of the RowHammer class make it possible to distort the contents of individual bits of memory by cyclically reading data from neighboring memory cells. Since DRAM memory is a two-dimensional array of cells, each of which consists of a capacitor and a transistor, performing continuous reading of the same area of ββmemory results in voltage fluctuations and anomalies that cause a slight loss of charge in adjacent cells. If the reading intensity is high enough, then the neighboring cell may lose a sufficiently large amount of charge and the next regeneration cycle will not have time to restore its original state, which will lead to a change in the value of the data stored in the cell.
To protect against RowHammer, chip manufacturers have implemented the TRR (Target Row Refresh) mechanism, which protects against cell distortion in adjacent rows. The Half-Double method allows you to bypass this protection by manipulating that the distortion is not limited to adjacent lines and propagates to other lines of memory, although to a lesser extent. Google engineers have shown that for consecutive memory strings "A", "B and C", it is possible to attack string "C" with very heavy access to string "A" and little activity affecting string "B". Referencing the "B" string during an attack activates a non-linear charge drain and allows the "B" string to be used as a transport to translate the Rowhammer effect from the "A" string to the "C" string.
Unlike the TRRespass attack, which manipulates flaws in various implementations of the cell distortion prevention mechanism, the Half-Double attack relies on the physical properties of the silicon substrate. The Half-Double shows that it is likely that the effects leading to Rowhammer are a property of spacing rather than a direct fit of cells. With a decrease in cell geometry in modern chips, the radius of influence of distortions also increases. It is possible that the effect will be observed at a distance of more than two lines.
It is noted that, together with the JEDEC association, several proposals have been developed with an analysis of possible ways to block such attacks. The method is disclosed because Google believes that this study greatly expands our understanding of the Rowhammer phenomenon and highlights the importance of bringing researchers, chipmakers, and other stakeholders together to develop a complete and long-term security solution.
Source: opennet.ru