In 2012 researchers disclosed a vulnerability affecting most DDR3 memory chips: RowHammer.
Since then, RowHammer was seen in a whole range of exploits demonstrating its security implications. Memory vendors, haunted by this issue for the whole DDR3 era, decided to tackle it in the newer DDR4 generation with a mitigation widely referred to as Target Row Refresh (TRR).
This talk is about how we spent the better part of our last two years trying to reverse engineer the inner workings of this unknown mitigation concealed deep inside the DRAM chips. We will discuss how we leveraged a FPGA-based memory controller to uncover –– by means of bit flips –– its implementation details and we will show its evolution disclosing different flavors of the “TRR” mitigation.
So does it actually work? Well… what emerged from our analysis is everything but reassuring. RowHammer is alive and well, you just need a creative attitude when designing new hammering patterns. Don’t worry, we will explain to you how to build such patterns and, for the lazy ones, we will teach you how our RowHammer fuzzer (TRRespass) can do it for you.