Rowhammer

Rowhammer
Name	Rowhammer
Caption	DRAM module with highlighted rows
Type	Hardware-based memory vulnerability
Discovered	2014
Discovered by	Google Project Zero
Affected	Dynamic random-access memory (DRAM)
Mitigation	Firmware updates, ECC, software hardening

Rowhammer is a hardware-based security vulnerability affecting modern Dynamic random-access memory devices, where repeated activation of memory rows induces bit flips in adjacent rows. First publicized by researchers in 2014, the phenomenon has generated wide interest across Google, Intel Corporation, Samsung Electronics, Micron Technology, and academic institutions such as the University of Michigan and the University of California, Berkeley. Research has linked Rowhammer to attacks demonstrated on platforms produced by Apple Inc., Google LLC, Microsoft Corporation, Amazon Web Services, and major original equipment manufacturers like Dell Technologies, HP Inc., and Lenovo.

Overview

Rowhammer manifests in commodity Double Data Rate SDRAM modules including DDR3 SDRAM and DDR4 SDRAM, and has implications for systems using processors from Intel Corporation, Advanced Micro Devices, and ARM Holdings licensees such as Qualcomm. The effect arises because of physical proximity and electrical coupling between DRAM cells, and it undermines assumptions relied upon by operating systems like Linux, Microsoft Windows, and FreeBSD, as well as hypervisors from VMware and Xen Project. Industry responses have involved coordination among standards bodies including the JEDEC Solid State Technology Association and vendors such as SK Hynix.

Technical Mechanism

Repeated activation, or "hammering", of a DRAM row influences capacitive and electromagnetic behavior in neighboring rows made by manufacturers like Micron Technology, Samsung Electronics, and SK Hynix. The process exploits physical effects in the silicon substrates produced in fabs owned by TSMC and GlobalFoundries, and is influenced by memory controller policies implemented in processors from Intel Corporation and AMD. Rowhammer-related errors are observed in modules with cell geometries pushed by process nodes associated with 14 nm, 10 nm, and smaller technologies. Device firmware and microcode from Intel Management Engine and boot firmware like UEFI implementations can change refresh rates or remapping policies that affect susceptibility. Error-correcting code memories used in servers by Google, Facebook, and Amazon Web Services employ ECC schemes that may mitigate some flips, but single-bit errors can still be exploited when combined with cache eviction policies used in processors such as ARM Cortex-A series.

Vulnerabilities and Exploits

Public exploit demonstrations have shown privilege escalation on operating systems like Android (operating system), Chrome OS, and Microsoft Windows NT derivatives, leveraging instruction sets in x86-64 and ARMv8-A architectures. Notable attacks include cross-VM compromises on cloud platforms operated by Amazon Web Services and Google Cloud Platform, and local exploits against browsers like Google Chrome, using techniques originally described by researchers affiliated with Google Project Zero and universities such as Cornell University. Toolchains and proof-of-concept code have referenced compilers and runtime environments from GCC, Clang, and LLVM Project. Security advisories have been coordinated with organizations including CERT Coordination Center and National Institute of Standards and Technology.

Mitigations and Defenses

Mitigations span hardware, firmware, and software layers. Hardware remedies include increased refresh rates and adoption of targeted row refresh (TRR) mechanisms at the DRAM device level by vendors such as Samsung Electronics, SK Hynix, and Micron Technology. Firmware and microcode updates distributed by Intel Corporation and AMD can alter memory controller behavior; BIOS and UEFI updates from Dell Technologies, HP Inc., and Lenovo have been used to deploy fixes. Software defenses include kernel hardening in Linux kernel, browser mitigations in Mozilla Firefox and Google Chrome, and cloud-provider isolation strategies from Microsoft Azure and Google Cloud Platform. Error-correcting memory technologies used in data centers by Facebook and Amazon Web Services remain an important line of defense, while academic proposals from Massachusetts Institute of Technology and ETH Zurich suggest randomized memory allocation and detection via performance counters in processors like those produced by Intel Corporation.

Impact and Real-world Incidents

Rowhammer has affected consumer devices from Apple Inc. and Samsung Electronics and enterprise servers deployed by Google, Facebook, and Microsoft Corporation. Security bulletins have been published by vendors including Intel Corporation, AMD, Micron Technology, and cloud operators like Amazon Web Services. Incident response has involved coordination with national and international bodies such as the US-CERT and the European Union Agency for Cybersecurity. The threat has implications for critical infrastructure vendors including Siemens and Schneider Electric where embedded systems utilize DRAM; it has also prompted audits in industries involving Boeing and General Electric.

Research and Developments

Ongoing research originates from institutions such as ETH Zurich, Princeton University, University of California, San Diego, University of Texas at Austin, and corporate labs at Google Project Zero, Intel Labs, and Samsung Research. Work explores reactive error-correction, physical redesign of DRAM arrays by manufacturers like Micron Technology, and novel defenses such as memory allocation randomization proposed by researchers at Carnegie Mellon University and Cornell University. Conferences where Rowhammer research has been presented include USENIX Security Symposium, IEEE Symposium on Security and Privacy, ACM CCS, and NDSS Symposium. Standardization efforts and follow-up studies have been discussed at JEDEC meetings and in publications by ACM and IEEE.

Category:Computer security