Rowhammer attacks can bypass ECC memory protection

Researchers at the Vrije Universiteit in Amsterdam have described in a paper a new variation of the Rowhammer attack, which makes the attack successful on ECC memory. Rowhammer is a group of exploits that exploit an error in the design of modern memory cards.

A memory card stores temporary data as standard in storage units called ‘cells’, which form a grid with several rows on the physical silicone chip. In 2014, researchers discovered that by repeatedly reading data in a row, they could create an electric field that could adapt data in nearby rows. This caused data corruption, but could also make it possible to manipulate data in malicious ways.

ECC memory

In the years that followed, several attacks came out, but in the new research a new variation has been added. This variant can bypass the ECC memory, which is a memory protection that hardware manufacturers said could detect and prevent Rowhammer attacks.

ECC stands for Error-Correcting Code and is a form of memory storage implemented as a control mechanism with a high-end RAM. Usually ECC sits is expensive or important systems. The ECC memory works by providing protection against malicious conversion of bits, which happens during the Rowhammer attacks. But the protection mechanism now appears to have limits.

The researchers argue that the ECC memory can only detect and correct one bit flip at a time in a memory segment. If two bit flips occur simultaneously in a memory segment, the ECC memory cannot handle them. In this case the underlying app is stopped to stop data corruption. But with three bit flips at the same time, the ECC memory does not crash and does not even react at all. This circumvents the protection.

Little dangerous

However, the Rowhammer attacks are only theoretical attacks that are viewed by investigators. They were never abused in the wild. Moreover, it takes between 32 minutes and a week to abuse this vulnerability, making it not very dangerous.