back to article ZenHammer comes down on AMD Zen 2 and 3 systems

ZenHammer would be the perfect name for a heavy metal band, but alas, it's an AMD-focused variant of the decade-old Rowhammer attack that compromises computers by flipping bits of memory. Rowhammer was first proposed in a paper [PDF] published June 2014 by researchers at Carnegie Mellon University and Intel. It's a technique …

  1. Mike 137 Silver badge

    Once inside ...

    "The threat model assumes the attacker knows the CPU model of the target machine and has obtained DRAM address mappings using a reverse engineering tool. It also assumes that an unprivileged attacker can execute programs on the victim's machine."

    Interesting as a piece of theoretical research, but once the perp can do all this (indeed merely a subset of this) they can do almost anything they want without resorting to complex silicon-specific attack vectors. Most organisations are so utterly wide open that they can be breached using free to download tools off the web, so these advanced techniques are actually unneccessary as well as hard to accomplish.

    1. Anonymous Coward
      Anonymous Coward

      Re: Once inside ...

      Let me introduce you to my friend social engineering. First you find out who supplies the hardware then as a prospective client speak to a sales droid at said company and they will happily give up that information as they love to boast. Ok so you are going to need some other way to get in there first but this then theoretically can take you further. Another point is that this isn't just privilege escalation.

      1. Anonymous Coward
        Anonymous Coward

        And as the article points out

        Both the preceeding attack and this can probably be induced remotely, and and attacks tend to get worse over time if they change as well as being chained with others.

        Hardware attacks such as these shouldn't be dismissed out of hand.

  2. aerogems Silver badge

    Maybe it's time for Intel and AMD to slow down on the number of new chips they make every year. We've arguably reached a point where just throwing more cores or higher clock speeds does little to improve performance much because that's not the performance bottleneck on a PC. So, maybe instead of coming out with a slightly better model every year, they could go back to the days of old where they might only come out with a new CPU every 3-4 years, and it would be a much more significant upgrade. The 286 to 386 was a much bigger leap than say the 12th gen Core ix and the 13th gen.

    That extra time gives the chip designers a chance to find and address these issues before they start etching it into silicon where it becomes impossible to change. Sometimes you can mitigate the issue with a microcode update, but that's no guarantee, and it usually comes at the cost of performance.

    1. Spazturtle Silver badge

      On the contrary, I think they should completely abandon trying to secure these cores. For things that need security they should add a separate in-order secure core that has no speculative execution So we would end up with a CPU with 3 types of core, performance cores, efficiency cores and secure cores..

      1. david 12 Silver badge

        This is not a speculative execution hack. It's a DDR memory exploit.

        It's specific to specific chipsets because it's a timing and addressing exploit, and timing and addressing is specific to MB design and processor design.

        The problem arises because of the memory density of modern memory. The solution is to use secure memory, and there are and have been partially-successful attempts to make memory more secure, by doing things like increasing the refresh rate.

        Not surprisingly, secure memory runs slower, hotter and more expensive. I guess you could design a memory system that had a small cache of secure memory, but that runs counter to current attempts at security which randomize location, so that critical code is more difficult to find in memory.

        1. This post has been deleted by its author

        2. Spazturtle Silver badge

          The whole current paradigm of out of order, speculative execution, unstable DDR that depends on error correction, ect is rotten from a security standpoint. And trying to patch it up just defeats the whole reason we switched to it which was performance.

          "I guess you could design a memory system that had a small cache of secure memory, but that runs counter to current attempts at security which randomize location, so that critical code is more difficult to find in memory."

          You could stack some SRAM on top of a secure core for it to use as RAM, and make it so that only the secure core can access it and the secure core can't access system RAM. I don't claim to have all the answers but clearly what we are trying now is just not working.

          1. user555

            Stay on topic

            You guys have wandered off into talking about the micro architecture vulnerabilities which the rowhammer exploits are nothing to do with. This is a DRAM problem that has possibly existed since the original invention of DRAM. Although I suspect it's only a recently exploitable problem due to tight cell density of modern DRAMs.

            It will be solvable at the DRAM level. Just it's not as quick a fix as simply tweaking the timings ... and the industry probably still has to focus on the flaw seriously. The fact that one row can mess with its neighbouring row even while fully refreshed says there is need for design improvements in the DRAMs themselves.

            It'll be a form of crosstalk. And that sucks because the way to deal with crosstalk in both cabling and board layout is with shielding. Shielding in a memory array is going to cost space, and that means reduced cell density. :(

            1. user555

              Re: Stay on topic

              Just to be clear, this is a bigger problem than exploits. Corrupting of neighbouring rows is entirely possible in regular use. This is a general reliability issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like