For those who don’t know Rowhammer access -- or hammer -- physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighbouring rows to flip, meaning 1s turn to 0s and vice versa.
In the past the attacks have been used to give untrusted applications unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things.
But previous Rowhammer attacks had hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these "aggressor" rows -- meaning those that cause bitflips in nearby "victim" rows -- are accessed the same number of times.
Research published on Monday uses non-uniform patterns that access two or more aggressor rows with different frequencies.
The result is that all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work (PDF) from the same researchers.
Kaveh Razavi and Patrick Jattke, two of the research authors, said that by creating special memory access patterns it was possible to bypass mitigations that are deployed inside DRAM,/
"This increases the number of devices that can potentially be hacked with known attacks to 80 percent. These issues cannot be patched due to their hardware nature and will remain with us for many years to come."
The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the mitigation works differently from vendor to vendor but generally tracks the number of times a row is accessed and recharges neighbouring victim rows when there are signs of abuse.
Fixing this defence puts further pressure on chipmakers to mitigate a class of attacks that many people thought more recent types of memory chips were resistant to.
In Monday's paper, the researchers wrote that proprietary, undocumented in-DRAM TRR is the only mitigation that stands between Rowhammer and attackers exploiting it in various scenarios such as browsers, mobile phones, the cloud, and even over the network.
The paper shows how deviations from known uniform Rowhammer access patterns allow attackers to flip bits on all 40 recently acquired DDR4 DIMMs, 2.6x more than the state of the art. The effectiveness of these new non-uniform patterns in bypassing TRR highlights the need for a more principled approach to address Rowhammer.
"While PCs, laptops, and mobile phones are most affected by the new findings, the report notes that cloud services like AWS and Azure "remain largely safe from Rowhammer because they use higher-end chips that include a defense known as ECC, short for Error Correcting Code."
"Our work confirms that the DRAM vendors' claims about Rowhammer protections are false and lure you into a false sense of security," the researchers wrote.
"All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed."
