In 2015, Researchers at Google made a troubling discovery: The data theft technique known as “Rowhammer,” previously thought of as a theoretical concern, could be exploited in real-world conditions. Now a different group of Google computer scientists have shown that the problem has only gotten worse, thanks in part to improvements in how chips are designed.
Rowhammer is a physical hacking technique that manipulates the electric charge in computer memory chips (known as DRAM) to corrupt or exfiltrate data. In an attack, hackers run the same program repeatedly on a "row" of DRAM transistors to "hammer" that row until it leaks electricity into the adjacent row. When done in a targeted way, that leakage can physically flip a bit in the next row of transistors from 1 to 0 or vice versa. By strategically flipping enough bits, an attacker can begin to manipulate the target system and gain a digital foothold.
In the years since the original 2014 Rowhammer research, chipmakers have added mitigations that monitor adjacent rows for potentially suspicious behavior. But as chips continue to get smaller, the ripple effect that comes from hammering a given row could potentially flip bits two or more rows away. Think of Gallagher smashing a watermelon. You can protect the front of the audience by giving them all plastic ponchos. But if he swings hard enough, and the crowd is packed in tight enough, the rind and pulp could make contact with faces two or three rows deep.
The researchers dubbed their attack “Half-Double,” and note that the technique wasn't practical on older generations of DRAM where transistor rows were slightly farther apart. As whatever's left of Moore's Law packs transistors ever more densely together, though, the risk of spillover in Rowhammer attacks is increasing.
“This is the result of miniaturization,” the Google researchers told WIRED in a written response to questions. “In our experiments with older DDR4 chips, this technique was not successful. We are releasing this research today in order to advance the understanding of this threat. We are hopeful that it will further discussions on mitigations that are long lasting and effective.”
Google disclosed its findings to the semiconductor engineering trade organization JEDEC, which has issued two stop-gap mitigations. And the researchers have been coordinating with other industry partners as well to raise awareness about the issue. But it will take time for chipmakers to fully understand the implications.
“Imagine your house is huge,” says Daniel Moghimi, a postdoctoral scholar at the University of California, San Diego who has studied Rowhammer and microarchitectural attacks. “If your adjacent neighbor who also has a huge house plays loud music, you can probably hear it from your house, but maybe not from three doors down. But when you live in an apartment complex where units are packed much closer to each other, the music will bother neighbors in a lot of apartments. It's the same idea with the density of DRAM cells and their closeness to each other."
A full fix will also require rethinking how chips get designed, and would apply to future generations of DRAM. To go back Mighimi's metaphor, it's easier to build a new apartment with thicker walls and more insulation than it is to retrofit an existing building.
Moghimi says that researchers already understood this potential risk in theory, but that the Google findings, once again, demonstrate a plausible, real-world attack. “It shows that it's more practical than a lot of people think,” he says.
This isn't the first time Rowhammer attacks have seemed to be resolved and then roared back. Researchers at Vrije Universiteit Amsterdam have repeatedly shown in the last 18 months that current chip defenses against more traditional Rowhammer attacks can be defeated. But the Google findings carry an additional warning that advances in the size and efficiency of memory chips potentially come with new risks from Rowhammer.
These hacking techniques would require skill and even some luck to pull off in an actual targeted attack. Given that potential Rowhammer exposure exists in basically every computing device out there, though, its progress is worth taking seriously.