Rowhammer Attacks – What Business Executives Need to Know
The doomsday scenario for any security analyst is finding a hack that is so effective, so versatile that countermeasures are difficult to find without changing everything about global IT infrastructure. As of 2021, the world has been living inside that nightmare for six years now. The nightmare in question is called Rowhammer.
Memory, DRAM specifically, has reached a level of density that jams each row of bits tightly up against the next row. Rowhammer takes advantage of this by bombarding adjacent rows of memory with write requests. By disrupting the rows of magnetic storage on either side of the memory someone wants to change, they can sympathetically flip bits in the next row. This can lead to manipulation of data in memory such as authentication tables.
This means that a successful Rowhammer attack can allow the perpetrator to create their own admin accounts, install their own malware, change the way that devices monitor the network to leave security holes, and erase logs that would otherwise incriminate them. A successful Rowhammer attack could give the attacker complete control over the server, client, or network device in question.
Despite these implications, outside of government intelligence organizations and a select number of concerned security consultants, it has not gotten a lot of attention. Part of the reason for the radio silence was to avoid causing a panic in the early stages of attack development. When the vulnerabilities could only be demonstrated in a lab, there was hope that effective countermeasures could be developed before any major hacking groups could harness the power of Rowhammer in the wild.
However, over the past year the security community has seen incredible advances in the Rowhammer attack vector. They have outmatched the hardware defenses that were supposed to shut them down. It is safe to assume that both governmental and non-governmental entities have attacks available that work in the wild. Which brings light to the second reason why the general public is not talking about it: hacks are likely successfully happening all around the world, and they simply have not been detected, or Rowhammer was not been determined to be the root cause.
This article will go over what executives need to know about Rowhammer, the best corporate decisions that can be made to mitigate the attacks, and some of the early warning signs that a company is being targeted by Rowhammer attacks.
Rowhammer is a Hardware Issue at Its Heart
Part of the reason why Rowhammer attacks are so critical is that they are an attack against the very fabric of the way every device stores data. Since memory is a part of every electronic device on the planet, there are a lot of possible vulnerabilities. The same core attack that can root an Android phone can also scramble firewall operations or gain administrative access on a Linux server.
So, what decisions can a business executive make that will mitigate such a broad reaching attack? In the more immediate future, monitoring policies, and in the long run purchasing decisions.
That may sound odd, however the generation of hardware that a company chooses matters a great deal. For example the SMASH variant of Rowhammer has proven effective against DDR4 memory, despite prior reassurances. Since DDR5 is just around the corner the correct decision might be to hold off for the superior Error Check and Scrub (ECS) capability that is designed into DDR5. This might mean delaying an infrastructure rollout for a few months and going with somewhat newer, more expensive hardware.
What hardware should modern enterprises be considering? Leaked AMD roadmaps imply DDR5 support for 2022 Zen 4 CPUs and Zen 3+ APUs. Similarly, leaked Intel slideshows imply DDR5 support on the 2021 Sapphire Rapids and Alder Lake chips. The motherboards will also need to support DDR5 with advanced ECS. Those are currently the best bet against Rowhammer attacks, including mitigation for the new SMASH subtype.
What Executive Decisions Can Be Made in the Meantime?
Vigilance is the main watchword now. Even if it causes a slight performance hit, turning on the monitoring and alerting for ‘cache misses’ in hardware performance monitors might be the wisest decision in the short term. At least for critical systems.
The reason that this can be an indication of a Rowhammer attack is that the attack ‘blinks’ on and off so rapidly, which most likely leads to uncached memory access. Having IT security alerted when this occurs can be the early indicator that saves the day. Given that these attacks are not instantaneous, and require some trial and error to flip the right bits, time is a finite resource. So early detection is a huge advantage.
Some critical hardware might be capable of more frequent memory refreshing, at the cost of power consumption and a small amount of performance. IT and infrastructure teams can identify the critical systems that can increase their memory refresh rate. After testing the impact on the system during a maintenance window, an educated decision can be made. Increasing the memory refresh can slow down or even stop some kinds of Rowhammer attacks.
Virtualization has been known to render Rowhammer attacks into a denial of service at best. That extra layer of abstraction, particularly for access control lists, makes things more difficult for the attacker. Virtualizing the systems that can be feasibly run on VMs is a good short term hedge.
Finally, foster a culture of awareness about Rowhammer based attacks within the technical community. Yes, it is a frightening subject. However, education means that people won’t be as likely to get caught off guard. Employees in the know act more quickly and logically in times of crisis. And that is what they’ll need if a Rowhammer attack is detected while in progress: clear heads, and an effective plan of action.
The Death of Rowhammer?
Some form of Rowhammer is likely to be with us until DDR5 is commonplace, and perhaps even beyond, depending on how effective ECS really is. Optical based computing and storage (fiber optic boards, holographic memory, etc.) is ultimately what will kill Rowhammer for good.
However, until then, corporate policy should be short term detection and mitigation wherever possible, and long term purchasing that will focus on DDR5 based architectures at every level of computing, from hardware appliances to servers to desktops. Ultimately, preparedness and a good monitoring solution might make all the difference. Keep those network intrusion preparedness and action plans up to date, and hire good IT security pros like Outsource IT if help is needed. Contact an Outsource IT account manager to learn more.