New Rowhammer attacks may bypass ECC protection

Row hammer (also written as rowhammer) is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly leaking or changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times. When repeatedly accessing a particular memory location for millions of times, an attacker can change the value of that location from 0 to 1, or from 1 to 0. This bit-flip vulnerability allows an untrusted application to gain almost arbitrary system privileges or bypass the sandboxing mechanism that prevents malicious code from accessing sensitive system resources.

Image: Wiki

ECC (error-correcting code) supported by some high-end chips is believed to protect against such bit flips, but recent research has shaken this assumption. A new Rowhammer attack called ECCploit bypasses ECC protection. Researchers say their papers show that even the Rowhammer attack on ECC-equipped systems is still a real threat.

They reverse engineered the working mechanism of ECC and discovered a side timing channel. By carefully measuring the time required to perform specific processes, they can infer the granularity of the bit flips that occur inside the chip.

The researchers tested the ECCploit attack on the AMD Opteron 6376 Bulldozer (15h), Intel Xeon E3-1270 v3 Haswell, Intel Xeon E5-2650 v1 Sandy Bridge, and Intel Xeon E5-2620 v1 Sandy Bridge. This attack method is not reliable and is mainly for DDR3 DIMMs.