Abstract
AMD has gained a significant market share in recent years with the introduction of the Zen microarchitecture. While there are many recent Rowhammer attacks launched from Intel CPUs, they are completely absent on these newer AMD CPUs due to three non-trivial challenges: 1) reverse engineering the unknown DRAM addressing functions, 2) synchronizing with refresh commands for evading in-DRAM mitigations, and 3) achieving a sufficient row activation throughput. We address these challenges in the design of ZENHAMMER, the first Rowhammer attack on recent AMD CPUs. ZENHAMMER reverse engineers DRAM addressing functions despite their non-linear nature, uses specially crafted access patterns for proper synchronization, and carefully schedules flush and fence instructions within a pattern to increase the activation throughput while preserving the access order necessary to bypass in-DRAM mitigations. Our evaluation with ten DDR4 devices shows that ZENHAMMER finds bit flips on seven and six devices on AMD Zen 2 and Zen 3, respectively, enabling Rowhammer exploitation on current AMD platforms. Furthermore, ZENHAMMER triggers Rowhammer bit flips on a DDR5 device for the first time. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000666589Publication status
publishedEvent
Subject
DRAM; Rowhammer; AMD Zen 2; AMD Zen 3; AMD Zen 4Organisational unit
09721 - Razavi, Kaveh / Razavi, Kaveh
Funding
180545 - NCCR Automation (phase I) (SNF)
MB22.00057 - Proactive Microarchitectural Security (SBFI)
Related publications and datasets
Is supplemented by: https://doi.org/10.3929/ethz-b-000666588
Notes
Supported by a Microsoft Swiss JRC grant.More
Show all metadata
ETH Bibliography
yes
Altmetrics