Key Takeaways
1. DDR5 RAM, while leading in performance, has been found to be more vulnerable to cyber attacks than previously thought, particularly through a new attack method called Phoenix.
2. The Phoenix attack exploits DDR5’s high read/write speeds to flip bits in memory cells, potentially affecting all DDR5 chip brands that use SK Hynix chips.
3. SK Hynix introduced a defense mechanism called Target Row Refresh (TRR), but researchers were able to reverse-engineer it and find vulnerabilities in its implementation.
4. The Phoenix attack can compromise systems quickly, with the ability to gain root privileges in under 2 minutes and affecting a significant number of SK Hynix products.
5. Activating the tREFI specification could counter the Phoenix attack but risks causing data corruption and system instability, such as Blue Screens of Death (BSODs).
DDR5 stands as the leading RAM standard for everyday computers and has been around for about 5 years. However, new findings suggest that DDR5 might be more vulnerable to cyber attacks than earlier believed. A group of researchers from ETH Zurich University in Switzerland, along with security professionals from Google, have developed a variant of the DDR5 Rowhammer attack called Phoenix. This method exploits the increased read/write speeds to manipulate memory cell rows, flipping bits from 1 to 0 or the other way around. The attack has only been tested on DDR5 modules that utilize SK Hynix chips, potentially impacting all DDR5 chip brands.
New Defense Mechanism
To combat this, SK Hynix has put in place a defense known as Target Row Refresh (TRR), which helps prevent bit flipping by adding extra refresh commands when specific rows are accessed too often. However, the team from ETH Zurich and Google was able to reverse-engineer this protection. They discovered that some refresh intervals were not adequately secured, leading them to devise a method for tracking and synchronizing the various TRR refreshes, which allowed them to self-correct upon missing a refresh.
Attack Potential
The researchers identified that only certain refresh intervals, specifically 128 and 2608, were effective for executing the Phoenix attack. By using this technique, they were able to compromise a shell with root privileges in under 2 minutes. In their comprehensive testing, it was found that all SK Hynix products were at risk for page-table entry (PTE) targeting. Additionally, 73% of the DIMMs were susceptible to breaks in RSA-2048 key SSH authentication, while only 33% showed vulnerability to alterations in the sudo binary for root access.
The Phoenix exploit has been rated with a high severity score and impacts all RAM modules that include SK Hynix chips manufactured between January 2021 and December 2024. It’s still uncertain how other brands with similar production dates might be compromised. There is a method to counter the Phoenix attack, which involves activating the tREFI specification (triple DRAM refresh interval) on affected RAM modules. However, this approach is not advisable, as it may lead to increased data corruption errors, resulting in Blue Screens of Death (BSODs) and overall system instability.
Source:
Link
Leave a Reply