There's a New Way To Flip Bits in DRAM, and It Works Against the Latest Defenses
An anonymous reader shares a report: In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns -- an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time. Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by "hammering" carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa. Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."
Read more of this story at Slashdot.