Rowhammer attacks can now bypass ECC memory protections

Attack works against ECC memory included with DDR3 memory, but researchers believe DDR4 is also vulnerable.
Written by Catalin Cimpanu, Contributor

Academics from the Vrije University in Amsterdam, Holland, have published a research paper today describing a new variation of the Rowhammer attack.

For readers unfamiliar with the term, Rowhammer is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards.

By default, a memory card stores temporary data inside storage units named cells, which are arranged on the physical silicon chip in multiple rows, in the form of a grid.

In 2014, researchers discovered that by reading a data stored on one row repeatedly, over and over again, they could create an electrical field that would alter data stored on nearby memory rows, causing either data corruption, or manipulating data in malicious ways.

In the following years after the discovery of the original Rowhammer attack, academics expanded the methods and exploitation scenarios, showing that their initial discovery couldn't be ignored by hardware makers, as there were numerous ways that an attacker could, theoretically, use it:

In research published today, named ECCploit, academics expanded the previous Rowhammer techniques with yet another variation. This one, they said, bypasses ECC memory, one of the memory protections that hardware makers said could detect and prevent Rowhammer attacks in the past.

ECC stands for Error-Correcting Code and is a type of memory storage included as a control mechanism with high-end RAM, typically deployed with expensive or mission-critical systems.

ECC memory works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks. Surprisingly, it wasn't developed to deal with Rowhammer. It was initially developed in the 90s to protect against bit flips caused by alpha particles, neutrons, or other cosmic rays, but when Rowhammer came out, it also proved to be effective against it, as well.

But after spending months reverse engineering the designs of ECC memory, the Vrije University team discovered that this protection mechanism has its limits.

Researchers said they discovered that ECC memory can only detect and correct one bit flip at a time in a memory segment it's supposed to watch over.

ECC memory gets overwhelmed when two simultaneous bit flips occur in the same memory segment, and in these uncommon cases, the ECC memory crashes the underlying app to avoid data corruption or a security compromise.

However, Vrije researchers say they've discovered that if a Rowhammer attack causes three simultaneous bit flips, ECC memory doesn't crash and instead doesn't react at all, leading to a complete bypass of the ECC protections.

The good news is that this is not something to get alarmed over. Rowhammer attacks, ever since coming to light in 2014, have never been anything but theoretical attacks explored by academics.

Rowhammer attacks are akin to the Meltdown and Spectre CPU flaws. They are theoretical attacks that have never been used in the wild, but which reveal major design flaws in the hardware that underpins most of our modern technology.

For now, researchers argue that companies should not avoid using ECC memory because of their research. This is because an ECCploit attack takes from 32 minutes to even a week to execute, meaning it's not even remotely as dangerous as it sounds.

The Rowhammer ECCploit attack is the type of research that researchers hope will influence how vendors design and ship hardware in the future and is not something that experts expect to see used by malware in the coming future.

Reviews round-up: 15 devices we've got our hands on in the past month

Related security coverage:

Editorial standards