Rowhammer is an attack which manipulates bits stored in the DRAM without accessing them. It is working and does damage directly on the hardware. Throwhammer and Nethammer are further implementations of Rowhammer the basic concept therefore is the same the execution however is different. How exactly they work will be discussed in detail in the corresponding subsections. For demonstrating, the software "Hammertime" from the Systems and Network Security Group at Vrije Universiteit Amsterdam is shown.
- Operating system: Ubuntu 18.04 bionic amd64
- Packages: git emacs
Even though the name Rowhammer does not give an idea what is it in first place when looking deeper at what it is it makes absolutely sense. Firstly, let's look at the DRAM which is the main victim of this attack. The DRAM consists of several rows and columns like a Matrix for example. A collection of rows is called a "bank" with the characteristic of each row sharing the same row buffer. Furthermore a collection of banks is called a rank. The DRAM cells are made out of a transistor and capacitor. Depending on the charge of the capacitor the value of the cell is either a 1 or a 0. Since the RAM is volatile, the charge in the cells must be refreshed regularly, so it does not loose the original value. When a row is accessed the horizontal line of the DRAM Matrix of the specific row called the word-line is activated. With the vertical line called the bit-line connecting the different rows vertically with each other. When the wordline is now given a high voltage the values of the row is written into the row buffer, where the values can be modified or read.
Due to the development and enhancement of the performance of DRAMs the cells got denser. A team of researchers found out that, when a row is accessed multiple times and in this case multiple times are at least 139 thousand times within the refresh cycle which is 64 milliseconds for a DDR3 DRAM, disturbance errors occurred. Disturbance errors is a phenomenon where the charge of adjacent cells is leaking to the high amount of accesses of another row. In other words, when row A is accessed 139 thousand times at a minimum row B and C, both are neighbour rows, experience loss of the charge of cells. If the charge however, is not refreshed timely, the cell cannot reproduce the original value. This is called a bit flip. A 1 is recognized as a zero and vice versa.
As mentioned at the beginning of this section, the row must be activated 139 thousand times. Therefore two things must be taken into consideration:
- Cache eviction
- Closing row after being activated
The cache eviction mechanism manages the flushing of the row buffer, so that the row needs to be written into the cache again. Secondly, the row must be closed which happens automatically when another row is activated, if not the row must be closed manually. Rowhammer must be executed locally on the target machine for example via a software downloaded on to the device.
An advanced technique of Rowhammer is the bit flip induction over the network with network packets called Throwhammer. Throwhammer requires a Remote Direct Access Memory enabled network. This allows to bypass the CPU when exchanging network packets, which enhances the performance of the network. Bit flips can be achieved when sending 560.000 packets as a minimum over a internet connection of at least 10Gbps.
Another Rowhammer attack caused by network packets is called Nethammer. This does not need the Remote Direct Access Part. All it needs is a fast internet connection and handcrafted packets. If there is an application on the target machine using uncached memory, bit flips can be induced. However, there are many ways to bypass a cache or to implement cache eviction mechanism, like:
- evicting and reloading the addresses
- using uncached memory which is used on all ARM-based machines for interacting with the hardware
- using non-temporal instructions performing their operations directly on the DRAM
- flushing and reloading the addresses for example
Hammertime is a software which simulates, profiles and tests the DRAM for the vulnerability.
- git clone https://github.com/vusec/hammertime.git
- cd hammertime
- rm -rf ramses
- git rm --cached ramses
- git submodule add https://github.com/vusec/ramses.git
go to hammertime root directory and build it with
Search for the memory configuration with
- sudo ramses/tools/msys_detect.py
Executing the code for profiling the vulnerability
- sudo profile/profile --s 256m mem.msys
Execute the code for profiling the vulnerability and store it in file
- sudo profile/profile --s 256m mem.msys >> example.res
Prettify the file to get a readable output
- py/prettyprofile.py example.res