Threat Watch

Half-Double Rowhammer Attack Discovered by Project-Zero

Project-Zero is at it again. In 2015 they demonstrated how Intel PCs running Linux could be exploited by taking advantage of hardware (physical) weaknesses in DDR DRAM. On the 25th of May they introduced a new attack able to produce bitflips at a distance of two rows instead of canonical (one row). The research teams explained, “with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B.”

Google’s team has been working with many semiconductor companies to engineer possible mitigations to this attack as it is only getting more efficient and wide-ranging effecting hardware industry-wide thus opening a vector for devastating attacks, if and when it becomes a viable tactic.

ANALYST NOTES

Fortunately, these attacks are complicated and generally limited to demonstrations in a lab environment, however PoCs do exist in the public domain. To date, industry standard mitigation efforts have proven ineffective. What is possible though is detection. Rowhammer attacks involve fuzzing-like behavior which produces a lot of potential security events. A Security Operations Center with the proper detections in place may be able to observe ongoing attacks. A Threat Hunt service such as the one Binary Defense offers is able to take that one step further and proactively search for IoC’s leading to rowhammer activity identifying the behavior inherent to these attacks on DRAM.

https://securityaffairs.co/wordpress/118284/hacking/rowhammer-variant-dubbed-half-double.html
https://security.googleblog.com/2021/05/introducing-half-double-new-hammering.html?m=1