Introducing Half-Double: New hammering technique for DRAM Rowhammer bug
By Google Research Team: Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric
Shiu & Mattias Nissler
are sharing details around our discovery of
a new Rowhammer technique that capitalizes on the worsening physics
of some of the newer DRAM chips to alter the contents of memory.
Rowhammer is a DRAM vulnerability whereby repeated accesses to one
address can tamper with the data stored at other addresses. Much
like speculative execution vulnerabilities in CPUs, Rowhammer is a
breach of the security guarantees made by the underlying hardware.
As an electrical coupling phenomenon within the silicon itself,
Rowhammer allows the potential bypass of hardware and software
memory protection policies. This can allow untrusted code to break
out of its sandbox and take full control of the system.
Rowhammer was first discussed in a
in 2014 for what was then the mainstream generation of DRAM: DDR3.
The following year, Google’s Project Zero released a working
In response, DRAM manufacturers implemented proprietary logic inside
their chips that attempted to track frequently accessed addresses
and reactively mitigate when necessary.
As DDR4 became widely adopted, it appeared as though Rowhammer had
faded away thanks in part to these built-in defense mechanisms.
However, in 2020, the
paper showed how to reverse-engineer and neutralize the defense by
distributing accesses, demonstrating that Rowhammer techniques are
still viable. Earlier this year, the
research went one step further and demonstrated exploitation from
Traditionally, Rowhammer was understood to operate at a distance of
one row: when a DRAM row is accessed repeatedly (the “aggressor”),
bit flips were found only in the two adjacent rows (the “victims”).
However, with Half-Double, we have observed Rowhammer effects
propagating to rows beyond adjacent neighbors, albeit at a reduced
strength. Given three consecutive rows A, B, and C, we were able to
attack C by directing a very large number of accesses to A, along
with just a handful (~dozens) to B. Based on our experiments,
accesses to B have a non-linear gating effect, in which they appear
to “transport” the Rowhammer effect of A onto C. Unlike TRRespass,
which exploits the blind spots of manufacturer-dependent defenses,
Half-Double is an intrinsic property of the underlying silicon
substrate. This is likely an indication that the electrical coupling
responsible for Rowhammer is a property of distance, effectively
becoming stronger and longer-ranged as cell geometries shrink down.
Distances greater than two are conceivable.
has been working with
an independent semiconductor engineering trade organization,
along with other industry partners, in search of possible
solutions for the Rowhammer phenomenon. JEDEC has published two
documents about DRAM and system-level mitigation techniques (JEP
We are disclosing this work because we believe that it
significantly advances the understanding of the Rowhammer
phenomenon, and that it will help both researchers and industry
partners to work together, to develop lasting solutions. The
challenge is substantial and the ramifications are
industry-wide. We encourage all stakeholders (server, client,
mobile, automotive, IoT) to join the effort to develop a
practical and effective solution that benefits all of our users.