And bitflip is a situation in which the value of a bit in a sequence of data stored in RAM memory changes from 0 to 1 or vice versa in an unexpected or unwanted way. In binary code, bits represent the smallest element to express a piece of data. Bitflips can occur due to various causes, including electrical noise, memory errors, electrical interference, or due to cyber attacks designed to alter what is stored in memory.
These are potentially problematic occurrences because they can lead to errors in the data, compromise the integrity of the information and have unintended consequences on the operation of a system or a specific application. In the context of cybersecurity, attackers can try to induce bitflips in data to alter or compromise sensitive information or encrypted.
Attacks on RAM memory: RowHammer e Blacksmith
In 2014, a group of researchers presented an attack called RowHammer which aroused considerable interest and concern. The idea was to damage, modify, or steal data using a simple application running at the user level by arranging repeated access to certain regions of the DDR memory chip. Since that time, memory chip manufacturers have developed some defense measures, mainly by limiting the number of times programs can access the contents of RAM memory.
A couple of years ago, other experts used the technique fuzzing on DDR4 memories: the approach, baptized Blacksmithwas very similar and the scholars demonstrated that they were, for example, capable of recover RSA-2048 keys public and private stored in RAM.
Bitflip with the new attack RowPress
Taking inspiration from Blacksmith, a group of researchers from the Federal Institute of Technology in Zurich has devised a new method of aggression. Call RowPress, the technique involves “hammering” carefully selected regions of RAM memory and leaving them open for longer periods than normal. In this way, exploitable bitflips can be caused to form the basis of an actual attack.
To defend yourself from RowHammerthe industry had developed a line of defense known as ECC (error-correcting code)capable among other things of detecting and automatically repair reversed bits. This protection was overcome in attacks RowHammer versus older DDR3 memory; some researchers theorize that it may be possible to overcome ECC even with more modern DDR4.
As an additional measure, i chip DDR4 con ECC they also offer another form of defense, known as Target Row Refresh (TRR). It monitors the number of times a row in memory is used: upon reaching a certain threshold the information is automatically reloaded in order to mitigate a possible attack. In the case of RowPressthe researchers explain, TRR does not appear to be effective.
Any attackers can then exploit the technique RowPress per compromising data and put the security of the systems at risk. Further research is still ongoing and new developments are expected in the months to come. Also because DDR4 chips from all three major manufacturers (Samsung, Hynix e Micron) are vulnerable to RowPresseven when equipped with defenses such as ECC and TRR.