• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

AMD Response to "ZENHAMMER: Rowhammer Attacks on AMD Zen-Based Platforms"

TheLostSwede

TheLostSwede

News Editor
Joined
Nov 11, 2004
Messages
18,642 (2.48/day)
Location
Sweden
System Specs
System Name Overlord Mk MLI
Processor AMD Ryzen 7 7800X3D
Motherboard Gigabyte X670E Aorus Master
Cooling Noctua NH-D15 SE with offsets
Memory 32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s) Gainward GeForce RTX 4080 Phantom GS
Storage 1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s) Acer XV272K LVbmiipruzx 4K@160Hz
Case Fractal Design Torrent Compact
Audio Device(s) Corsair Virtuoso SE
Power Supply be quiet! Pure Power 12 M 850 W
Mouse Logitech G502 Lightspeed
Keyboard Corsair K70 Max
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/yfsd9w
On February 26, 2024, AMD received new research related to an industry-wide DRAM issue documented in "ZENHAMMER: Rowhammering Attacks on AMD Zen-based Platforms" from researchers at ETH Zurich. The research demonstrates performing Rowhammer attacks on DDR4 and DDR5 memory using AMD "Zen" platforms. Given the history around Rowhammer, the researchers do not consider these rowhammering attacks to be a new issue.

Mitigation
AMD continues to assess the researchers' claim of demonstrating Rowhammer bit flips on a DDR5 device for the first time. AMD will provide an update upon completion of its assessment.




AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications. Susceptibility to Rowhammer attacks varies based on the DRAM device, vendor, technology, and system settings. AMD recommends contacting your DRAM or system manufacturer to determine any susceptibility to this new variant of Rowhammer.
AMD also continues to recommend the following existing DRAM mitigations to Rowhammer-style attacks, including:

  • Using DRAM supporting Error Correcting Codes (ECC)
  • Using memory refresh rates above 1x
  • Disabling Memory Burst/Postponed Refresh
  • Using AMD CPUs with memory controllers that support a Maximum Activate Count (MAC) (DDR4)
    • 1st Gen AMD EPYC Processors formerly codenamed "Naples"
    • 2nd Gen AMD EPYC Processors formerly codenamed "Rome"
    • 3rd Gen AMD EPYC Processors formerly codenamed "Milan"
  • Using AMD CPUs with memory controllers that support Refresh Management (RFM) (DDR5)
    • 4th Gen AMD EPYC Processors formerly codenamed "Genoa"

Acknowledgement
AMD thanks ETH Zurich: Patrick Jattke, Max Wipfli, Flavien Solt, Michele Marazzi, Matej Boleskei, Kaveh Razavi for reporting their findings and engaging in coordinated vulnerability disclosure.

View at TechPowerUp Main Site | Source
 
For the... Memperor?
 
I suppose, given the vague insinuations, the question becomes: Is there any combination of manufacturers and settings that are completely immune? Or are they all just varying degrees of susceptibility? I'm guessing the latter, and that the problem will only be fully solved with redesigned cell/routing layout internal to the DRAMs.
 
user556 said:
I suppose, given the vague insinuations, the question becomes: Is there any combination of manufacturers and settings that are completely immune?
Click to expand...
It's been well known for some time all vendors are affected by ROWHAMMER attacks on DDR4 and earlier, but DDR5 was supposed to address this with it's internal ECC thing. I was skeptical at the time (since full DDR4 ECC didn't fix it either, how could a more limited approach?), and it seems that was warranted. It would not surprise me if this extends beyond AMD.

If you ask me, the industry has no answer short of a fundamental redesign and are basically telling people what a doctor tells you when you say "Doc, it hurts when I do this!"

"Well, then don't."

In other words, don't get infected with malware that might exploit this.
 
Just use ECC.
 
Rubbish, ECC was never intended to fix this. That was just pipe dreams from some hopeful laymen.
 
user556 said:
Rubbish, ECC was never intended to fix this. That was just pipe dreams from some hopeful laymen.
Click to expand...
Laymen? It's the first option AMD lists in this very article to avoid the problem.
 
Sure, ECC helps catch some potential bit flips. Everyone knows that. AMD are not saying ECC is a fix in any way at all.

This problem is much worse than exploits. It's a reliability issue for DRAM generally. It applies to all DRAM uses everywhere.

Either ECC needs beefed up massively on the presumption that normal operation generates bulk groups of errors, or the DRAM array construction needs an overhaul.
 
Last edited:
And yet they say in the paper that they were not able to replicate Rowhammer data exploits on systems with ECC.
 
Quote: They also note that for the first time they've demonstrated bit flips on a DDR5 device, an AMD Zen 4 system (Ryzen 7 7700X). While their success was limited – only 1 in 10 DDR5 devices succumbed due to improvements like on-die error correction code (ECC), and a higher 32 ms refresh rate – they anticipate that their findings "will make it easier to port Rowhammer attacks to newer platforms in the future, such as DDR5 devices."

Regular ECC is not intended to defend against conditions that produces a barrage of bit flips. At the very least you're looking at crashes from the memory corruption.
 
A halt is preferable and that's what you'll get from proper ECC. On chip ECC isn't ECC in the classical sense nor reporting errors.

In theory ECC isn't sufficient but no one is making a more resilient form of memory than that. It's the simplest solution with no demonstrated data exfil on DDR4 or DDR5 yet. And the other solutions listed after it provide even less protection.
 
There's no halt when the ECC fails to detect an error.
Yeah, ECC is the best we have right now, but it's not sufficient. ECC circuits are built to handle rare cases of single bit-flips, primarily from cosmic rays. Rowhammer is not actually an exploit problem but rather a reliability problem. DRAMs are, or have become, too fragile electrically. Probably the latter due to modern die shrinks.
 
Use ECC and set it to halt on machine check exception, done. That's the best protection against rowhammer you get.

Screaming at JEDEC might make DDR6/7 different but does nothing to help current machines.
 
It's not a JEDEC issue either. It's more a fundamental cell structure and silicon routing issue. It's a property of the fine grain nature of the process node. My guess is upcoming node shrinks will make it even worse.
 
The zenhammer author references other papers which suggest it can be solved by different design of memory devices even at small nodes. If these are accurate, then it would be an issue of JEDEC priorities.
 
That depends on what he meant by design ... if he's talking about the structure of the bulk DRAM array then that's got very little to do with JEDEC.

There is a similarity to Flash memory trade-offs. Where long term reliability, and endurance, and speed are all properties of the number levels per cell. The effect is density is traded for performance. We might be seeing something similar emerging with DRAM. The highest densities will get relegated to low-grade consumer use.
 
JohH said:
Just use ECC.
Click to expand...
ECC has historically been vulnerable to Rowhammer as well.

JohH said:
And yet they say in the paper that they were not able to replicate Rowhammer data exploits on systems with ECC.
Click to expand...
Old rowhammer was applicable on DDR4 ECC so I'm doubtful that this will be true forever with DDR5.

www.vusec.net

ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All - vusec

How well does ECC protects against Rowhammer? Exploiting Correcting Codes: On the Effectivenessof ECC Memory Against Rowhammer Attacks.
www.vusec.net www.vusec.net
 
Last edited:
You must log in or register to reply here.
Back
Top