Rowhammer takes advantage of a design defect in dynamic random-access memory, or DRAM, chips, which provide the high-speed data storage for a computer’s CPU. The most common DRAM standard today is called DDR3, ubiquitous on laptops, workstations, servers, phones, and tablets.
DDR3 memories are also littered across non-commercial embedded applications (industrial, medical, military).
A single DRAM chip contains billions of electrical capacitors, each of which stores a single bit. The sheer density of capacitors on these memory chips, however, causes a problem. By “hammering” a row of bits repeatedly, constantly changing their values, an attacker can sometimes induce an electrical interference in which capacitors in a different, adjacent row are mistakenly flipped. If the attacker can sufficiently control what’s in that adjacent row, then the attacker can manipulate your computer without authorization.
At the most basic level, memory robustness is verified by focusing on a single cell’s ability to affect neighboring cells. See this excerpt from the folks at ParkMass software, who develop the acclaimed Memtest86 memory test software:
Memory chips consist of a large array of tightly packed memory cells, one for each bit of data. The vast majority of the intermittent failures are a result of interaction between these memory cells. Often writing a memory cell can cause one of the adjacent cells to be written with the same data. An effective memory test attempts to test for this condition. Therefore, an ideal strategy for testing memory would be the following:
- write a cell with a zero
- write all of the adjacent cells with a one, one or more times
- check that the first cell still has a zero
How memory manufacturers will add robustness to prevent a row of cells from affecting a neighboring row may be a challenge, but this testing philosophy could be scaled to toggle groups of cells within a row to help determine if the memories are at risk for an attack similar to Rowhammer.
I hope that I never see this thing.
(via Alex King)