Row Hammer Privilege Escalation (RAM Security Issue 2011-2014)
Вставка
- Опубліковано 30 вер 2024
- Row Hammer DDR3 security flaw: support.lenovo....
The Passgate issue (aka “Row Hammer”) is an inherent design/process limitation in memory for sub 40nm technology such as DDR3/DDR3L/LPDDR2/LPDDR3/GDDR5 that can cause errors in rows of memory adjacent to rows that are being repeatedly accessed (“hammered”). This is a pervasive industry memory issue. It potentially affects multiple brands of PCs using the memory listed above, and is not unique to Lenovo products.
Any sub 40nm (e.g. DDR3) memory made after 2011 and before 2014 may be impacted by this issue. ECC and non-DDR3 derived memory have not been proven to be impacted by this issue. Memory isolation is a key property of reliable and secure systems. Systems and applications accessing one memory address should not have unintended side effects on data stored in another address belonging to other application(s). Row Hammering is not a new phenomenon and has historically been recognized as leading to random data corruption. However, recent security research has demonstrated that Row Hammering non-ECC DDR3-derived memory commonly used in desktops, workstations, and laptops can expose exploitable security vulnerability. This attack requires that an attacker already have logical access to the target computer and then use this code to escalate privileges.
The problem occurs when the memory controller under command of malicious software causes an ACTIVATE command to a single row address repetitively. If the physically adjacent rows have not been ACTIVATED or refreshed recently, the charge from the over ACTIVATED row leaks into the dormant adjacent rows and causes a bit to flip. This failure mechanism has been coined ‘Row Hammer’ as a row of memory cells are being ‘hammered’ with ACTIVATE commands. Once this failure occurs, a Refresh command from the Memory Controller solidifies the error into the memory cell. Current understanding is that the charge leakage does not damage the physical memory cell. The security implication of this attack is that a program can corrupt memory pages belonging to another program.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo is working with our memory suppliers in order to ensure that all new DRAM is designed to be Row Hammer-free.
For computers with affected DDR3-derived memory, doubling the refresh rate on the memory has been shown to be effective in reducing the risk of successfully exploiting this issue. Memory refresh rate is controlled by the system BIOS. Refer to the Product Impact section to determine if your product may be affected. When the updated BIOS is available for you to download, you will be able to link directly to the download page for the applicable product tab.
