Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Row hammer

This is a good article. Click here for more information.
From Wikipedia, the free encyclopedia
Computer security exploit

Rowhammer (also written asrow hammer orRowHammer) is a computer security exploit that takes advantage of an unintended and undesirable side effect indynamic random-access memory (DRAM) in whichmemory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearbymemory rows that were notaddressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially craftedmemory access patterns that rapidly activate the same memory rows numerous times.[1][2][3]

The Rowhammer effect has been used in someprivilege escalation computer securityexploits,[2][4][5][6] and network-based attacks are also theoretically possible.[7][8]

Different hardware-based techniques exist to prevent the Rowhammer effect from occurring, including required support in someprocessors and types of DRAMmemory modules.[9][10]

Background

[edit]
A high-level illustration of DRAM organization, which includesmemory cells (blue squares),address decoders (green rectangles), andsense amplifiers (red squares)

Indynamic RAM (DRAM), eachbit of stored data occupies a separate memory cell that is electrically implemented with onecapacitor and onetransistor. The charge state of a capacitor (charged or discharged) is what determines whether a DRAM cell stores "1" or "0" as abinary value. Huge numbers of DRAM memory cells are packed intointegrated circuits, together with some additional logic that organizes the cells for the purposes of reading, writing, andrefreshing the data.[11][12]

Memory cells (blue squares in both illustrations) are further organized intomatrices and addressed through rows and columns. A memory address applied to a matrix is broken into the row address and column address, which are processed by the row and columnaddress decoders (in both illustrations, vertical and horizontal green rectangles, respectively). After a row address selects the row for a read operation (the selection is also known asrow activation), bits from all cells in the row are transferred into thesense amplifiers that form the row buffer (red squares in both illustrations), from which the exact bit is selected using the column address. Consequently, read operations are of a destructive nature because the design of DRAM requires memory cells to be rewritten after their values have been read by transferring the cell charges into the row buffer. Write operations decode the addresses in a similar way, but as a result of the design entire rows must be rewritten for the value of a single bit to be changed.[1]: 2–3 [11][12][13]

As a result of storing data bits using capacitors that have a natural discharge rate, DRAM memory cells lose their state over time and require periodicrewriting of all memory cells, a process known as refreshing.[1]: 3 [11] As another result of the design, DRAM memory is susceptible to random changes in stored data, which are known assoft memory errors and attributed tocosmic rays and other causes. There are different techniques that counteract soft memory errors and improve the reliability of DRAM, of whicherror-correcting code (ECC) memory and its advanced variants (such aslockstep memory) are most commonly used.[14]

Overview

[edit]
Rapid row activations (yellow rows) may change the values of bits stored in victim row (purple row).[15]: 2 

Increased densities ofDRAMintegrated circuits have led to physically smaller memory cells containing less charge, resulting in lower operationalnoise margins, increased rates of electromagnetic interactions between memory cells, and greater possibility of data loss. As a result,disturbance errors have been observed, being caused by cells interfering with each other's operation and manifesting as random changes in the values of bits stored in affected memory cells. The awareness of disturbance errors dates back to the early 1970s andIntel 1103 as the first commercially available DRAM integrated circuits; since then, DRAM manufacturers have employed variousmitigation techniques to counteract disturbance errors, such as improving the isolation between cells and performing production testing. However, researchers proved in a 2014 analysis that commercially availableDDR3 SDRAM chips manufactured in 2012 and 2013 are susceptible to disturbance errors, while using the termRowhammer to name the associated side effect that led to observedbit flips.[1][3][15]

The opportunity for the Rowhammer effect to occur in DDR3 memory[16] is primarily attributed to DDR3's high density of memory cells and the results of associated interactions between the cells, while rapid DRAM row activations have been determined as the primary cause. Frequent row activations causevoltage fluctuations on the associated row selection lines, which have been observed to induce higher-than-natural discharge rates in capacitors belonging to nearby (adjacent, in most cases) memory rows, which are calledvictim rows; if the affected memory cells are notrefreshed before they lose too much charge, disturbance errors occur. Tests show that a disturbance error may be observed after performing around 139,000 subsequent memory row accesses (withcache flushes), and that up to one memory cell in every 1,700 cells may be susceptible. Those tests also show that the rate of disturbance errors is not substantially affected by increased environment temperature, while it depends on the actual contents of DRAM because certainbit patterns result in significantly higher disturbance error rates.[1][2][15][17]

A variant calleddouble-sided hammering involves targeted activations of two DRAM rows surrounding a victim row: in the illustration provided in this section, this variant would be activating both yellow rows with the aim of inducing bit flips in the purple row, which in this case would be the victim row. Tests show that this approach may result in a significantly higher rate of disturbance errors, compared to the variant that activates only one of the victim row's neighboring DRAM rows.[4][18]: 19–20 [19]

As DRAM vendors have deployed mitigations, patterns had to become more sophisticated to bypass Rowhammer mitigations. More recent Rowhammer patterns include non-uniform, frequency-based patterns.[20] These patterns consist of many double-sided aggressors pairs where each of them is hammered with a different frequency, phase, and amplitude. Using this and synchronizing patterns with the REFRESH command, it is possible to very effectively determine "blind spots" where the mitigation is not able to provide protection anymore. Based on this idea, academics built a Rowhammer fuzzer namedBlacksmith[21] that can bypass existing mitigations on all DDR4 devices.

Mitigation

[edit]

Different methods exist for more or less successful detection, prevention, correction or mitigation of the Rowhammer effect. Tests show that simpleerror correction code, providingsingle-error correction and double-error detection (SECDED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits permemory word.[1]: 8 [15]: 32  Furthermore, research shows that precisely targeted three-bit Rowhammer flips prevents ECC memory from noticing the modifications.[22][23]

A less effective solution is to introduce more frequent memory refreshing, with therefresh intervals shorter than the usual 64 ms,[a] but this technique results in higher power consumption and increased processing overhead; some vendors providefirmware updates that implement this type of mitigation.[24] One of the more complex prevention measures performscounter-based identification of frequently accessed memory rows and proactively refreshes their neighboring rows; another method issues additional infrequent random refreshes of memory rows neighboring the accessed rows regardless of their access frequency. Research shows that these two prevention measures cause negligible performance impacts.[1]: 10–11 [25]

Since the release ofIvy Bridgemicroarchitecture,IntelXeon processors support the so-calledpseudo target row refresh (pTRR) that can be used in combination with pTRR-compliant DDR3dual in-line memory modules (DIMMs) to mitigate the Rowhammer effect by automatically refreshing possible victim rows, with no negative impact on performance or power consumption. When used with DIMMs that are not pTRR-compliant, these Xeon processors by default fall back on performing DRAM refreshes at twice the usual frequency, which results in slightly higher memory access latency and may reduce the memory bandwidth by up to 2–4%.[9]

TheLPDDR4 mobile memory standard published byJEDEC[26] includes optional hardware support for the so-calledtarget row refresh (TRR) that prevents the Rowhammer effect without negatively impacting performance or power consumption.[10][27][28] Additionally, some manufacturers implement TRR in theirDDR4 products,[29][30] although it is not part of the DDR4 memory standard published by JEDEC.[31] Internally, TRR identifies possible victim rows, by counting the number of row activations and comparing it against predefinedchip-specificmaximum activate count (MAC) andmaximum activate window (tMAW) values, and refreshes these rows to prevent bit flips. The MAC value is the maximum total number of row activations that may be encountered on a particular DRAM row within a time interval that is equal or shorter than the tMAW amount of time before its neighboring rows are identified as victim rows; TRR may also flag a row as a victim row if the sum of row activations for its two neighboring rows reaches the MAC limit within the tMAW time window.[26][32] Research showed that TRR mitigations deployed on DDR4 UDIMMs and LPDDR4X chips from devices produced between 2019 and 2020 are not effective in protecting against Rowhammer.[20]

Due to their necessity of huge numbers of rapidly performed DRAM row activations, Rowhammer exploits issue large numbers of uncached memory accesses that causecache misses, which can be detected by monitoring the rate of cache misses for unusual peaks usinghardware performance counters.[4][33]

Version 5.0 of theMemTest86 memory diagnostic software, released on December 3, 2013, added a Rowhammer test that checks whether computer RAM is susceptible to disturbance errors, but it only works if the computer bootsUEFI; without UEFI, it boots an older version with no hammer test.[34]

Implications

[edit]

Memory protection, as a way of preventingprocesses from accessing memory that has not beenassigned to each of them, is one of the concepts behind most modernoperating systems. By using memory protection in combination with other security-related mechanisms such asprotection rings, it is possible to achieveprivilege separation between processes, in whichprograms and computer systems in general are divided into parts limited to the specificprivileges they require to perform a particular task. Using privilege separation can also reduce the extent of potential damage caused bycomputer security attacks by restricting their effects to specific parts of the system.[35][36]

Disturbance errors (explained in thesection above) effectively defeat various layers of memory protection by "short circuiting" them at a very low hardware level, practically creating a uniqueattack vector type that allows processes to alter the contents of arbitrary parts of themain memory by directly manipulating the underlying memory hardware.[2][4][18][37] In comparison, "conventional" attack vectors such asbuffer overflows aim at circumventing the protection mechanisms at the software level, byexploiting various programming mistakes to achieve alterations of otherwise inaccessible main memory contents.[38]

Exploits

[edit]
hammer:mov(X),%eax// read from address Xmov(Y),%ebx// read from address Yclflush(X)// flush cache for address Xclflush(Y)// flush cache for address Yjmphammer
A snippet ofx86 assembly code that induces the row hammer effect (memory addressesX andY must map to different DRAM rows in the samememory bank)[1]: 3 [4][18]: 13–15 

The initial research into the Rowhammer effect, published and presented in June 2014 at theInternational Symposium on Computer Architecture, described and analyzed the nature of DRAM read disturbance errors in DDR3 DRAM chips. This paper[1] experimentally studied 129 real DDR3 DRAM modules from three DRAM manufacturers and demonstrated read disturbance bitflips in 110 of them. It also showed that a user-level program run on two real systems from Intel and AMD induces bitflips in main memory. The work indicated the potential for constructing an attack, saying that "With some engineering effort, we believe we can develop Code 1a into a disturbance attack that injects errors intoother programs, crashes the system, or perhaps even hijacks control of the system. We leave such research for the future since the primary objective in this work is to understand and prevent DRAM disturbance errors."[1]

A subsequent October 2014 research paper did not imply the existence of any security-related issues arising from the Rowhammer effect.[16]

On March 9, 2015,Google'sProject Zero revealed two workingprivilege escalation exploits based on the Rowhammer effect, establishing its exploitable nature on thex86-64 architecture. One of the revealed exploits targets theGoogle Native Client (NaCl) mechanism for running a limited subset of x86-64machine instructions within asandbox,[18]: 27  exploiting the Rowhammer effect to escape from the sandbox and gain the ability to issuesystem calls directly. This NaClvulnerability, tracked asCVE-2015-0565, has been mitigated by modifying the NaCl so it does not allow execution of theclflush (cache line flush[39]) machine instruction, which was previously believed to be required for constructing an effective Rowhammer attack.[2][4][37]

The second exploit revealed by Project Zero runs as an unprivilegedLinux process on the x86-64 architecture, exploiting the Rowhammer effect to gain unrestricted access to allphysical memory installed in a computer. By combining the disturbance errors withmemory spraying, this exploit is capable of alteringpage table entries[18]: 35  used by thevirtual memory system for mappingvirtual addresses tophysical addresses, which results in the exploit gaining unrestricted memory access.[18]: 34, 36–57  Due to its nature and the inability of the x86-64 architecture to makeclflush a privileged machine instruction, this exploit can hardly be mitigated on computers that do not use hardware with built-in Rowhammer prevention mechanisms. While testing the viability of exploits, Project Zero found that about half of the 29 testedlaptops experienced disturbance errors, with some of them occurring on vulnerable laptops in less than five minutes of running row-hammer-inducing code; the tested laptops were manufactured between 2010 and 2014 and used non-ECC DDR3 memory.[2][4][37]

In July 2015, a group of security researchers published a paper that describes anarchitecture- andinstruction-set-independent way for exploiting the Rowhammer effect. Instead of relying on theclflush instruction to perform cache flushes, this approach achieves uncached memory accesses by causing a very high rate ofcache eviction using carefully selected memory access patterns. Although thecache replacement policies differ between processors, this approach overcomes the architectural differences by employing an adaptive cache eviction strategyalgorithm.[18]: 64–68  Theproof of concept for this approach is provided both as anative code implementation, and as a pureJavaScript implementation that runs onFirefox 39. The JavaScript implementation, calledRowhammer.js,[40] uses largetypedarrays and relies on their internalallocation usinglarge pages; as a result, it demonstrates a very high-level exploit of a very low-level vulnerability.[41][42][43][44]

In October 2016, researchers published DRAMMER, an Android application that uses Rowhammer, together with other methods, to reliably gain root access on several popular smartphones.[45] The vulnerability was acknowledged asCVE-2016-6728[46] and a mitigation was released by Google within a month. However, due to the general nature of possible implementations of the attack, an effective software patch is difficult to be reliably implemented. As of June 2018, most patch proposals made by academia and industry were either impractical to deploy or insufficient in stopping all attacks. As a mitigation, researchers proposed a lightweight defense that prevents attacks based ondirect memory access (DMA) by isolating DMA buffers with guard rows.[47][48]

In May 2020, the TRRespass work[49] showed that existing DDR4 DRAM chips, which are claimed to be protected and resilient against Rowhammer, are actually vulnerable to Rowhammer. This work introduced a new access pattern, called many-sided hammering, which circumvents Rowhammer protections that were put into place inside DDR4 DRAM chips.

In May 2021, a Google research team announced a new exploit, Half-Double that takes advantage of the worsening physics of some of the newer DRAM chips.[50]

In March 2024, a group of researchers atETH Zürich announced ZenHammer, a rowhammer exploit forAMD Zen chips, and also announced the first use of rowhammer to exploitDDR5 SDRAM.[51][52]

In June 2024, a group of researchers atETH Zürich announced RISC-H, a rowhammer exploit forRISC-V chips, this is the first Rowhammer study on RISC-V.[53]

In September 2025, a group of researchers atETH Zürich announced Phoenix, which successfully bypassed all RowhammerTarget Row Refresh mitigations in one of the largestDDR5 SDRAM manufacturer's sample by using longer and more advanced patterns, and demonstrated the vulnerability in practice.[54]

See also

[edit]
  • Memory scrambling – memory controller feature that turns user data written to the memory into pseudo-random patterns
  • Radiation hardening – the act of making electronic components resistant to damage or malfunctions caused by ionizing radiation
  • Single event upset  – a change of state caused by ions or electromagnetic radiation striking a sensitive node in an electronic device
  • Soft error – a type of error involving erroneous changes to signals or data but no changes to the underlying device or circuit

Notes

[edit]
  1. ^Research shows that the rate of disturbance errors in a selection ofDDR3 memory modules closes to zero when thememory refresh interval becomes roughly seven times shorter than the default of 64 ms.[15]: 17, 26 

References

[edit]
  1. ^abcdefghijYoongu Kim; Ross Daly; Jeremie Kim; Chris Fallin; Ji Hye Lee; Donghyuk Lee; Chris Wilkerson; Konrad Lai; Onur Mutlu (June 24, 2014)."Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors"(PDF).ece.cmu.edu.IEEE. RetrievedMarch 10, 2015.
  2. ^abcdefGoodin, Dan (March 10, 2015)."Cutting-edge hack gives super user status by exploiting DRAM weakness".Ars Technica. RetrievedMarch 10, 2015.
  3. ^abDucklin, Paul (March 12, 2015)."'Row hammering' – how to exploit a computer by overworking its memory".Sophos. RetrievedMarch 14, 2015.
  4. ^abcdefgSeaborn, Mark; Dullien, Thomas (March 9, 2015)."Exploiting the DRAM rowhammer bug to gain kernel privileges".googleprojectzero.blogspot.com. RetrievedMarch 10, 2015.
  5. ^"Using Rowhammer bitflips to root Android phones is now a thing".Ars Technica. RetrievedOctober 25, 2016.
  6. ^Swati Khandelwal (May 3, 2018)."GLitch: New 'Rowhammer' Attack Can Remotely Hijack Android Phones".The Hacker News. RetrievedMay 21, 2018.
  7. ^Mohit Kumar (May 10, 2018)."New Rowhammer Attack Can Hijack Computers Remotely Over the Network".The Hacker News. RetrievedMay 21, 2018.
  8. ^Swati Khandelwal (May 16, 2018)."Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests".The Hacker News. RetrievedMay 21, 2018.
  9. ^abMarcin Kaczmarski (August 2014)."Thoughts on Intel Xeon E5-2600 v2 Product Family Performance Optimisation – Component selection guidelines"(PDF).Intel. p. 13. Archived fromthe original(PDF) on April 18, 2024. RetrievedMarch 11, 2015.
  10. ^abGreenberg, Marc (October 15, 2014)."Reliability, Availability, and Serviceability (RAS) for DDR DRAM interfaces"(PDF).memcon.com. pp. 2, 7, 10, 20, 27. Archived fromthe original(PDF) on July 5, 2016. RetrievedMarch 11, 2015.
  11. ^abc"Lecture 12: DRAM Basics"(PDF).utah.edu. February 17, 2011. pp. 2–7. RetrievedMarch 10, 2015.
  12. ^ab"Understanding DRAM Operation"(PDF).IBM. December 1996. Archived fromthe original(PDF) on August 29, 2017. RetrievedMarch 10, 2015.
  13. ^David August (November 23, 2004)."Lecture 20: Memory Technology"(PDF).cs.princeton.edu. pp. 3–5. Archived fromthe original(PDF) on May 19, 2005. RetrievedMarch 10, 2015.
  14. ^Bianca Schroeder; Eduardo Pinheiro; Wolf-Dietrich Weber (June 25, 2009)."DRAM Errors in the Wild: A Large-Scale Field Study"(PDF).cs.toronto.edu.ACM. RetrievedMarch 10, 2015.
  15. ^abcdeYoongu Kim; Ross Daly; Jeremie Kim; Chris Fallin; Ji Hye Lee; Donghyuk Lee; Chris Wilkerson; Konrad Lai; Onur Mutlu (June 24, 2014)."Flipping Bits in Memory Without Accessing Them: DRAM Disturbance Errors"(PDF).ece.cmu.edu. RetrievedMarch 10, 2015.
  16. ^abKyungbae Park; Sanghyeon Baeg; ShiJie Wen; Richard Wong (October 2014). "Active-precharge hammering on a row induced failure in DDR3 SDRAMs under 3× nm technology".Active-Precharge Hammering on a Row Induced Failure in DDR3 SDRAMs under 3x nm Technology.IEEE. pp. 82–85.doi:10.1109/IIRW.2014.7049516.ISBN 978-1-4799-7308-8.S2CID 14464953.
  17. ^Yoongu Kim; Ross Daly; Jeremie Kim; Chris Fallin; Ji Hye Lee; Donghyuk Lee; Chris Wilkerson; Konrad Lai; Onur Mutlu (July 30, 2015)."RowHammer: Reliability Analysis and Security Implications"(PDF).ece.cmu.edu. RetrievedAugust 7, 2015.
  18. ^abcdefgMark Seaborn; Thomas Dullien (August 6, 2015)."Exploiting the DRAM rowhammer bug to gain kernel privileges: How to cause and exploit single bit errors"(PDF).Black Hat. RetrievedAugust 7, 2015.
  19. ^Andy Greenberg (March 10, 2015)."Googlers' Epic Hack Exploits How Memory Leaks Electricity".Wired. RetrievedMarch 17, 2015.
  20. ^abJattke, Patrick; van der Veen, Victor; Frigo, Pietro; Gunter, Stijn; Razavi, Kaveh (May 25, 2022)."Blacksmith: Scalable Rowhammering in the Frequency Domain"(PDF).comsec.ethz.ch.IEEE. RetrievedNovember 9, 2022.
  21. ^Blacksmith Rowhammer Fuzzer, November 2, 2022, retrievedNovember 9, 2022
  22. ^Cojocar, Lucian; Razavi, Kaveh; Giuffrida, Cristiano; Bos, Herbert (2019)."Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks"(PDF).2019 IEEE Symposium on Security and Privacy (SP). Symposium on Security & Privacy. IEEE. pp. 55–71.doi:10.1109/sp.2019.00089.ISBN 978-1-5386-6660-9. RetrievedMay 30, 2022.
  23. ^VUsec, Systems and Network Security Group (November 11, 2018)."ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All".Vrije Universiteit Amsterdam. RetrievedMay 30, 2022.
  24. ^"Row Hammer Privilege Escalation (Lenovo Security Advisory LEN-2015-009)".Lenovo. August 5, 2015. RetrievedAugust 6, 2015.
  25. ^Dae-Hyun Kim; Prashant J. Nair; Moinuddin K. Qureshi (October 9, 2014)."Architectural Support for Mitigating Row Hammering in DRAM Memories"(PDF).ece.gatech.edu.IEEE. Archived fromthe original(PDF) on March 11, 2015. RetrievedMarch 11, 2015.
  26. ^ab"JEDEC standard JESD209-4A: Low Power Double Data Rate (LPDDR4)"(PDF).JEDEC. November 2015. pp. 222–223. RetrievedJanuary 10, 2016.
  27. ^Kishore Kasamsetty (October 22, 2014)."DRAM scaling challenges and solutions in LPDDR4 context"(PDF).memcon.com. p. 11. Archived fromthe original(PDF) on June 3, 2016. RetrievedJanuary 10, 2016.
  28. ^Omar Santos (March 9, 2015)."Mitigations Available for the DRAM Row Hammer Vulnerability".cisco.com. RetrievedMarch 11, 2015.
  29. ^Marc Greenber (March 9, 2015)."Row Hammering: What it is, and how hackers could use it to gain access to your system".synopsys.com. RetrievedJanuary 10, 2016.
  30. ^Jung-Bae Lee (November 7, 2014)."Green Memory Solution (Samsung Investors Forum 2014)"(PDF).teletogether.com.Samsung Electronics. p. 15. RetrievedJanuary 10, 2016.
  31. ^"JEDEC standard JESD79-4A: DDR4 SDRAM"(PDF).JEDEC. November 2013. RetrievedJanuary 10, 2016.
  32. ^"Data Sheet: 4 Gb ×4, ×8 and ×16 DDR4 SDRAM Features"(PDF).Micron Technology. November 20, 2015. pp. 48, 131. Archived fromthe original(PDF) on February 10, 2018. RetrievedJanuary 10, 2016.
  33. ^Nishad Herath; Anders Fogh (August 6, 2015)."These are Not Your Grand Daddy's CPU Performance Counters: CPU Hardware Performance Counters for Security"(PDF).Black Hat. pp. 29,38–68. RetrievedJanuary 9, 2016.
  34. ^"PassMark MemTest86 – Version History".memtest86.com. February 13, 2015. RetrievedMarch 11, 2015.
  35. ^Pehr Söderman (2011)."Memory Protection"(PDF).csc.kth.se. Archived fromthe original(PDF) on April 2, 2015. RetrievedMarch 11, 2015.
  36. ^Niels Provos; Markus Friedl; Peter Honeyman (August 10, 2003)."Preventing Privilege Escalation"(PDF).niels.xtdnet.nl. RetrievedMarch 11, 2015.
  37. ^abcLiam Tung (March 10, 2015).""Rowhammer" DRAM flaw could be widespread, says Google".ZDNet. RetrievedMarch 11, 2015.
  38. ^Murat Balaban (June 6, 2009)."Buffer Overflows Demystified".enderunix.org. Archived from the original on August 12, 2004. RetrievedMarch 11, 2015.
  39. ^"CLFLUSH: Flush Cache Line (x86 Instruction Set Reference)".renejeschke.de. March 3, 2013. Archived fromthe original on December 3, 2017. RetrievedAugust 6, 2015.
  40. ^Daniel Gruss; Clémentine Maurice (July 27, 2015)."IAIK/rowhammerjs: rowhammerjs/rowhammer.js at master".github.com. RetrievedJuly 29, 2015.
  41. ^Daniel Gruss; Clementine Maurice; Stefan Mengard (July 24, 2015). "Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript".arXiv:1507.06955 [cs.CR].
  42. ^David Auerbach (July 28, 2015)."Rowhammer security exploit: Why a new security attack is truly terrifying".slate.com. RetrievedJuly 29, 2015.
  43. ^Alix Jean-Pharuns (July 30, 2015)."Rowhammer.js Is the Most Ingenious Hack I've Ever Seen". Motherboard.
  44. ^Dan Goodin (August 4, 2015)."DRAM 'Bitflipping' exploit for attacking PCs: Just add JavaScript". Ars Technica.
  45. ^VUSec (October 2016)."DRAMMER: FLIP FENG SHUI GOES MOBILE". RetrievedJanuary 21, 2017.
  46. ^NIST National Vulnerability Database (NVD)."CVE-2016-6728 Detail".
  47. ^Victor van der Veen; Martina Lindorfer; Yanick Fratantonio; Harikrishnan Padmanabha Pillai; Giovanni Vigna; Christopher Kruegel; Herbert Bos; Kaveh Razavi (2018),"GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM",Detection of Intrusions and Malware, and Vulnerability Assessment, Springer International Publishing, pp. 92–113,doi:10.1007/978-3-319-93411-2_5,hdl:1871.1/112a5465-aeb5-40fd-98ff-6f3b7c976676,ISBN 9783319934105
  48. ^"RAMPAGE AND GUARDION - Vulnerabilities in modern phones enable unauthorized access". RetrievedJune 30, 2018.
  49. ^Pietro Frigo; Emanuele Vannacci; Hasan Hassan; Victor van der Veen; Onur Mutlu; Cristiano Giuffrida; Herbert Bos; Kaveh Razavi (2020). "TRRespass: Exploiting the Many Sides of Target Row Refresh".arXiv:2004.01807 [cs.CR].
  50. ^"Introducing Half-Double: New hammering technique for DRAM Rowhammer bug". Google. May 25, 2021. RetrievedDecember 2, 2021.
  51. ^Toulas, Bill."New ZenHammer memory attack impacts AMD Zen CPUs".BleepingComputer. RetrievedMarch 26, 2024.
  52. ^"ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms".Computer Security Group. RetrievedMarch 26, 2024.
  53. ^"Rowhammer Bit Flips On A High-End RISC-V CPU (ETH Zurich)".semiengineering. June 13, 2024. RetrievedJune 15, 2024.
  54. ^"Phoenix (CVE-2025-6202): A New Rowhammer Attack Bypasses DDR5 Protections". Daily CyberSecurity. September 18, 2025. RetrievedSeptember 18, 2025.

External links

[edit]
Asynchronous
Synchronous
Graphics
Rambus
Memory modules
Lists
General
Variants
Kernel
Architectures
Components
Process management
Concepts
Scheduling
algorithms
Memory management,
resource protection
Storage access,
file systems
Supporting concepts
Retrieved from "https://en.wikipedia.org/w/index.php?title=Row_hammer&oldid=1312032988"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp