The Rowhammer security exploit affecting DRAM memory modules has a new chapter with Google now detailing “half-double” as a new technique for exploit of system memory.
Google security researchers discovered Half-Double as a new technique that “capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.”
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to “transport” the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.
The Half-Double vulnerability affects current DDR4 system modules and Google has been working with JEDEC on new mitigation techniques.
More details on the Half-Double vulnerability via the Google Security Blog and the Half-Double whitepaper.