VU researchers confront chip manufacturers with a false solution for the Rowhammer bug
Researchers from VUSec of the Vrije Universiteit Amsterdam conclude in a study released today that most computer systems are still very easy to hack, due to a vulnerability in memory chips produced by Samsung, Micron and Hynix, the three major DRAM manufacturers in the world.
03/10/2020 | 9:00 AM
The vulnerability in question is called Rowhammer, a design flaw in the internal memory (DRAM) chips of a device that creates the vulnerability. By exploiting the error, an attacker could gain control of a device. Rowhammer was made public eight years ago. After an abundance of controversial Rowhammer attacks, CPU and DRAM manufacturers were eagerly looking for the definitive hardware solution to the Rowhammer problem. They came up with Target Row Refresh (TRR).
TTR as the silver bullet
It was assumed that RowHammer was no longer a danger on the newest generation of systems with a DDR4 memory module, protected by TRR. Manufacturers presented TTR as the silver bullet and advertised with RowHammer-free products. The chips are in PCs, laptops, telephones and servers.
No real solution
However, the VUsec researchers, led by Herbert Bos, Cristiano Giuffrida and Kaveh Razavi, and in collaboration with scientists from ETH Zurich and Qualcomm, noticed that very little is actually known about how TRR works and how it is applied and how effective it actually is. In the research of their PhD students Emanuele Vannacci and Pietro Frigo, which is published today, they analyzed TTR. They come to the conclusion that TTR does not solve the RowHammer problem, and there is no prospect of a solution for this in the near future.
DDR4 chips more vulnerable than their predecessors
Cristiano Giuffrida, researcher at VUsec, explains: “The results of our research are worrisome and show that RowHammer is not only still unsolved, but also that the vulnerability is widespread, even in the very latest DRAM chips. Moreover, we see that the new DDR4 chips are even more vulnerable to RowHammer than their DDR3 predecessors. ”
"Security by obscurity"
In their research, the computer scientists also question the "security by obscurity" approach used by manufacturers. That means that the mitigation for a vulnerability only works and therefore offers security, if nobody finds out how the mitigation actually works. "Sooner or later someone will naturally discover how the mitigation actually works. And then safety is gone. Manufacturers say that they keep their solutions secret because of market competition."
Tech companies nervous
That the RowHammer bug has not been tackled with the TTR solution is bad news for the big tech companies and reason for nervousness. According to the researchers, a cloud provider that wants to guarantee the security for its customers should try to physically separate untrusted programs from other software and data. This can of course be quite expensive. For consumers themselves, the consequences of the RowHammer bug are probably not very large, because there are simpler ways to hack phones or computers.
Far from a solution
VUsec has also worked on various software solutions. While these solutions provide stronger guarantees, they are unfortunately expensive. Giuffrida: "Ultimately, the problem must be resolved deep in the hardware and that is only possible by the hardware manufacturers. In the meantime, our software solutions can help, in combination with measures that administrators can now take to make it harder for attackers (for example, by increasing the ‘refresh rate’ of your memory).”
The project website of the scientists contains all practical information and Q&As about this new vulnerability and how to deal with it.
VUsec in the news
VUsec was also in the news in May and November 2019 about the security flaw in the Intel chips. Also read the article in the New York Times about this. In 2018, VUsec came out with news about sensitivities in Android devices. In 2016 and 2017, the researchers won a total of three Pwnie Awards - also known as the Oscars of the hacking world - for discovering various vulnerabilities.