• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

AMD Response to "ZENHAMMER: Rowhammer Attacks on AMD Zen-Based Platforms"

TheLostSwede

News Editor
Joined
Nov 11, 2004
Messages
17,769 (2.42/day)
Location
Sweden
System Name Overlord Mk MLI
Processor AMD Ryzen 7 7800X3D
Motherboard Gigabyte X670E Aorus Master
Cooling Noctua NH-D15 SE with offsets
Memory 32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s) Gainward GeForce RTX 4080 Phantom GS
Storage 1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s) Acer XV272K LVbmiipruzx 4K@160Hz
Case Fractal Design Torrent Compact
Audio Device(s) Corsair Virtuoso SE
Power Supply be quiet! Pure Power 12 M 850 W
Mouse Logitech G502 Lightspeed
Keyboard Corsair K70 Max
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/yfsd9w
On February 26, 2024, AMD received new research related to an industry-wide DRAM issue documented in "ZENHAMMER: Rowhammering Attacks on AMD Zen-based Platforms" from researchers at ETH Zurich. The research demonstrates performing Rowhammer attacks on DDR4 and DDR5 memory using AMD "Zen" platforms. Given the history around Rowhammer, the researchers do not consider these rowhammering attacks to be a new issue.

Mitigation
AMD continues to assess the researchers' claim of demonstrating Rowhammer bit flips on a DDR5 device for the first time. AMD will provide an update upon completion of its assessment.




AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications. Susceptibility to Rowhammer attacks varies based on the DRAM device, vendor, technology, and system settings. AMD recommends contacting your DRAM or system manufacturer to determine any susceptibility to this new variant of Rowhammer.
AMD also continues to recommend the following existing DRAM mitigations to Rowhammer-style attacks, including:

  • Using DRAM supporting Error Correcting Codes (ECC)
  • Using memory refresh rates above 1x
  • Disabling Memory Burst/Postponed Refresh
  • Using AMD CPUs with memory controllers that support a Maximum Activate Count (MAC) (DDR4)
    • 1st Gen AMD EPYC Processors formerly codenamed "Naples"
    • 2nd Gen AMD EPYC Processors formerly codenamed "Rome"
    • 3rd Gen AMD EPYC Processors formerly codenamed "Milan"
  • Using AMD CPUs with memory controllers that support Refresh Management (RFM) (DDR5)
    • 4th Gen AMD EPYC Processors formerly codenamed "Genoa"

Acknowledgement
AMD thanks ETH Zurich: Patrick Jattke, Max Wipfli, Flavien Solt, Michele Marazzi, Matej Boleskei, Kaveh Razavi for reporting their findings and engaging in coordinated vulnerability disclosure.

View at TechPowerUp Main Site | Source
 
Joined
Sep 17, 2014
Messages
22,666 (6.05/day)
Location
The Washing Machine
System Name Tiny the White Yeti
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
VR HMD HD 420 - Green Edition ;)
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
For the... Memperor?
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
I suppose, given the vague insinuations, the question becomes: Is there any combination of manufacturers and settings that are completely immune? Or are they all just varying degrees of susceptibility? I'm guessing the latter, and that the problem will only be fully solved with redesigned cell/routing layout internal to the DRAMs.
 
Joined
May 19, 2009
Messages
1,868 (0.33/day)
Location
Latvia
System Name Personal \\ Work - HP EliteBook 840 G6
Processor 7700X \\ i7-8565U
Motherboard Asrock X670E PG Lightning
Cooling Noctua DH-15
Memory G.SKILL Trident Z5 RGB Black 32GB 6000MHz CL36 \\ 16GB DDR4-2400
Video Card(s) ASUS RoG Strix 1070 Ti \\ Intel UHD Graphics 620
Storage 2x KC3000 2TB, Samsung 970 EVO 512GB \\ OEM 256GB NVMe SSD
Display(s) BenQ XL2411Z \\ FullHD + 2x HP Z24i external screens via docking station
Case Fractal Design Define Arc Midi R2 with window
Audio Device(s) Realtek ALC1150 with Logitech Z533
Power Supply Corsair AX860i
Mouse Logitech G502
Keyboard Corsair K55 RGB PRO
Software Windows 11 \\ Windows 10
Joined
Aug 20, 2007
Messages
21,541 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
I suppose, given the vague insinuations, the question becomes: Is there any combination of manufacturers and settings that are completely immune?
It's been well known for some time all vendors are affected by ROWHAMMER attacks on DDR4 and earlier, but DDR5 was supposed to address this with it's internal ECC thing. I was skeptical at the time (since full DDR4 ECC didn't fix it either, how could a more limited approach?), and it seems that was warranted. It would not surprise me if this extends beyond AMD.

If you ask me, the industry has no answer short of a fundamental redesign and are basically telling people what a doctor tells you when you say "Doc, it hurts when I do this!"

"Well, then don't."

In other words, don't get infected with malware that might exploit this.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
Rubbish, ECC was never intended to fix this. That was just pipe dreams from some hopeful laymen.
 
Joined
Feb 10, 2023
Messages
282 (0.41/day)
Location
Lake Superior
Rubbish, ECC was never intended to fix this. That was just pipe dreams from some hopeful laymen.
Laymen? It's the first option AMD lists in this very article to avoid the problem.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
Sure, ECC helps catch some potential bit flips. Everyone knows that. AMD are not saying ECC is a fix in any way at all.

This problem is much worse than exploits. It's a reliability issue for DRAM generally. It applies to all DRAM uses everywhere.

Either ECC needs beefed up massively on the presumption that normal operation generates bulk groups of errors, or the DRAM array construction needs an overhaul.
 
Last edited:
Joined
Feb 10, 2023
Messages
282 (0.41/day)
Location
Lake Superior
And yet they say in the paper that they were not able to replicate Rowhammer data exploits on systems with ECC.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
Quote: They also note that for the first time they've demonstrated bit flips on a DDR5 device, an AMD Zen 4 system (Ryzen 7 7700X). While their success was limited – only 1 in 10 DDR5 devices succumbed due to improvements like on-die error correction code (ECC), and a higher 32 ms refresh rate – they anticipate that their findings "will make it easier to port Rowhammer attacks to newer platforms in the future, such as DDR5 devices."

Regular ECC is not intended to defend against conditions that produces a barrage of bit flips. At the very least you're looking at crashes from the memory corruption.
 
Joined
Feb 10, 2023
Messages
282 (0.41/day)
Location
Lake Superior
A halt is preferable and that's what you'll get from proper ECC. On chip ECC isn't ECC in the classical sense nor reporting errors.

In theory ECC isn't sufficient but no one is making a more resilient form of memory than that. It's the simplest solution with no demonstrated data exfil on DDR4 or DDR5 yet. And the other solutions listed after it provide even less protection.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
There's no halt when the ECC fails to detect an error.
Yeah, ECC is the best we have right now, but it's not sufficient. ECC circuits are built to handle rare cases of single bit-flips, primarily from cosmic rays. Rowhammer is not actually an exploit problem but rather a reliability problem. DRAMs are, or have become, too fragile electrically. Probably the latter due to modern die shrinks.
 
Joined
Feb 10, 2023
Messages
282 (0.41/day)
Location
Lake Superior
Use ECC and set it to halt on machine check exception, done. That's the best protection against rowhammer you get.

Screaming at JEDEC might make DDR6/7 different but does nothing to help current machines.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
It's not a JEDEC issue either. It's more a fundamental cell structure and silicon routing issue. It's a property of the fine grain nature of the process node. My guess is upcoming node shrinks will make it even worse.
 
Joined
Feb 10, 2023
Messages
282 (0.41/day)
Location
Lake Superior
The zenhammer author references other papers which suggest it can be solved by different design of memory devices even at small nodes. If these are accurate, then it would be an issue of JEDEC priorities.
 
Joined
Feb 11, 2020
Messages
252 (0.14/day)
That depends on what he meant by design ... if he's talking about the structure of the bulk DRAM array then that's got very little to do with JEDEC.

There is a similarity to Flash memory trade-offs. Where long term reliability, and endurance, and speed are all properties of the number levels per cell. The effect is density is traded for performance. We might be seeing something similar emerging with DRAM. The highest densities will get relegated to low-grade consumer use.
 
Joined
Aug 20, 2007
Messages
21,541 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Just use ECC.
ECC has historically been vulnerable to Rowhammer as well.

And yet they say in the paper that they were not able to replicate Rowhammer data exploits on systems with ECC.
Old rowhammer was applicable on DDR4 ECC so I'm doubtful that this will be true forever with DDR5.

 
Last edited:
Top