"As part of a Rowhammer attack, a DRAM memory row is accessed repeatedly to cause electrical interference leading to bit flips in adjacent regions. This could lead to elevation of privileges, data corruption, data leakage, and in breaking memory isolation in virtual environments. After more than a decade of known Rowhammer attacks targeting CPUs and CPU-based memory, a group of University of Toronto researchers this year demonstrated that such attacks are possible and practical against GPUs as well."
"In their paper (PDF), the researchers explain that the protections DDR5 comes with require significantly longer Rowhammer patterns to be bypassed, and that these patterns need to remain in-sync with thousands of refresh commands. Phoenix, however, was designed to resynchronize the pattern when missed refresh operations are detected, thus triggering bit flips that allowed the researchers to create a privilege escalation exploit and gain root on a commodity DDR5 system with default settings."
Phoenix is a practical Rowhammer attack that bypasses DDR5 in-DRAM Target Row Refresh (TRR) protections by resynchronizing long Rowhammer patterns with thousands of refresh commands. Four ETH Zurich academics and two Google researchers reverse-engineered DDR5 TRR schemes and found successful attacks require precisely tracking thousands of refresh operations and significantly longer hammer patterns. Phoenix detects missed refreshes and resynchronizes patterns to trigger bit flips. The attack triggered bit flips on 15 SK Hynix DDR5 DIMMs and enabled a privilege escalation exploit that gained root on a commodity DDR5 system with default settings. DDR5 TRR mechanisms alone are insufficient to prevent Rowhammer-induced memory corruption.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]