New Attack Method Distorts Memory Content on AMD Zen Platforms

Researchers from the Swiss Higher Technical School Zurich developed the attack method zenhammer, which is a variant of the Rowhammer class for changing the contents of individual bits of dynamic RAM (DRAM), adapted for use on platforms with AMD processors. The past methods of the Rowhammer class attacks were limited to Intel processors, but the conducted study showed that distortions of the cells memory can also be achieved on platforms with memory controllers from AMD.

The method of the method is demonstrated on AMD Zen 2 and Zen 3 with DDR4 memory from three leading manufacturers (Samsung, Micron, and SK Hynix). The attack successfully allows you to bypass the TRR (Target Row Refresh) mechanism, aimed at protecting against distortion of memory cells in neighboring lines. According to CPU AMD Zen 3, systems of the system are more vulnerable than systems with Intel Coffee Lake processors, and they are easier and more efficient to attack. The researchers also analyzed the possibility of attacking the AMD Zen 4 with DDR5 memory systems, but the attack method developed for DDR4 was successfully reproduced by only 1 out of 10 tested DDR5 memory chips, while the very possibility of attacks is not excluded, but requires the development of more effective reading templates, suitable for devices DDR5.

For working with AMD chips, previously developed exploits that change the contents of the records in the Page Pages (PTE, Page Table Entry) to obtain a password check/power through the modification of the memory of the SUDO process and damaging the open key in the memory RSA-2048 in Openssh to recreate a closed key. The attack on the pages of memory was reproduced by 7 out of 10 DDR4 chips, an attack on the RSA key – on 6 chips, and the attack on Sudo on 4 chips, while the attack time was 164, 267, and 209 seconds, respectively.


/Reports, release notes, official announcements.