Row Hammer Security Exploit - Going to be with us for years to come.

[msporer]

Rowhammer

Lots of press this week on:

Rowhammer is a vulnerability in DRAM devices that allows for attacks such as privilege escalation and sandbox escape. Repeatedly accessing a row in recent DRAM devices can cause bit flips in adjacent rows, and attacks demonstrated and documented by the Google Project Zero team have used this behavior to gain kernel prileges on x86-64 Linux machines (from unprivileged user-land).

The x86 exploit utilizes repeated <code>CLFUSH</code> instructions to induce bit-flipping and gain read-write access to all of physical memory. However, the Google team believes this vulnerability exists on other machines and operating systems.

Row<q id="control_gen_6"> hammer is not random, nor single bit upset, so ECC does not handle it. That's why it can be exploited and why this is a big deal. Row hammer was well understood in the 1980's because DRAM were susceptible to it back then. It has nothing to do with process geometry, it is quite simple that they cut the corner too close on the bitcell/array design. In the '80s the CPU had direct access to the DRAM (no cache), but as caches were introduced the statistical likelihood of row hammer went away. In a normal system it is not an issue, but if you bypass the cache, or deliberately write code that can hammer rows you are going to have problems if it is a susceptible design.</q>