A New Approach for Rowhammer Attacks

Click on the Twitter link for the PDF:

A New Approach for Rowhammer Attacks

Rowhammer is a hardware bug identified in recent commodity DRAMs: repeated row activations can cause bit flips in adjacent rows. Rowhammer has been recognized as both a reliability and security issue. And it is a classic example that layered abstractions and trust (in this case, virtual memory) can be broken from hardware level. Previous rowhammer attacks either rely on rarely used special instructions or complicated memory access patterns. In this paper, we propose a new approach for rowhammer that is based on x86 non-temporal instructions. This approach bypasses existing rowhammer defense and is much less constrained for a more challenging task: remote rowhammer attacks, i.e., triggering rowhammer with existing, benign code. Moreover, we extend our approach and identify libc memset and memcpy functions as a new rowhammer primitive. Our discussions on rowhammer protection suggest that it is critical to understand this new threat to be able to defend in depth.

AMI’s firmware tools, and Rowhammer

I’m confused. Dragos points to AMI’s Utilities page and mentions that AMI now has Rowhammer protection. But I don’t see where he’s getting the Rowhammer improvement. If someone knows what he’s talking about, please speak up.

I do wish that AMI would make these tools available to sysadmins and security researchers, not just for their partners. Imagine how much harder it would be to diagnose Windows app problems if Microsoft did not make their SDK available to the public. That’s what it is like with firmware vendors and their tools. 😦

BIOS/UEFI Utilities for Aptio and AMIBIOS

Code available for new rowhammer research

More on this recent research:


The source is a single C++ file (not Javascript, like the Github project name hints at), built targets for Sandy/Ivy/Haswell/Skylake, works on 64-bit Linux. Usage:

# ./rowhammer[-architecture] [-t nsecs] [-p percent] [-c cores] [-d dimms] [-r row] [-f first_offset] [-s second_offset]
    ”-c” the number of cores (only important with ”#define EVICTION_BASED”)
    ”-p” percent of memory to use
    ”-d” number of dimms (very important)
    ”-r” loop only over the specified row
    ”-f” only test addresses with the specified first aggressor offset
    ”-s” only test addresses with the specified second aggressor offset



Skylake and Rowhammer


Reverse Engineering Intel DRAM Addressing and Exploitation
Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, Stefan Mangard

In this paper, we present a method to reverse engineer DRAM addressing functions based on a physical bus probing. Second, we present an automatic and generic method to reverse engineer DRAM addressing functions merely from performing a timing attack. This timing attack can be performed on any system without privileges and even in virtual machines to derive information about the mapping to physical DRAM channels, ranks and banks. We reversed the complex adressing functions on a diverse set of Intel processors and DRAM configurations. Our work enables side-channel attacks and covert channels based on inner-bank row conflicts and overlaps. Thus, our attack does not exploit the CPU as a shared resource, but only the DRAM that might even be shared across multiple CPUs. We demonstrate the power of such attacks by implementing a high speed covert channel that achieves transmission rates of up to 1.5Mb/s, which is three orders of magnitude faster than current covert channels on main memory. Finally, we show how our results can be used to increase the efficiency of the Rowhammer attack significantly by reducing the search space by a factor of up to 16384.


rowhammer and unnamed memory vendors

“We had anonymous contact offering to act as a go between between us and unnamed memory companies, with a view to paying us not release the new version of MemTest86. Who knows how serious the offer was.”