17

I'd like to know (or at least perform some reasonable guess) if a RAM is vulnerable to rowhammer attack. I haven't found any list of vulnerable or secure RAM modules. I've seen some general rules (DDR4 is OK, ECC is some mitigation factor), but I can apply none of these.

It is OK to buy a module, test it and return it if it is not OK. But I don't want to do that, say, ten times.

forest
  • 64,616
  • 20
  • 206
  • 257
v6ak
  • 609
  • 5
  • 12

1 Answers1

6

For DDR4:

One DRAM manufacturer, Micron, indicated that they are putting rowhammer mitigations into some of their DDR4 DRAM (see this data sheet). Other manufacturers might be doing the same.

Note that it is not necessarily true that "DDR4 is OK". There's nothing in the DDR4 standard that makes DDR4 memory safer than DDR3 memory -- the DDR4 standard does not contain any rowhammer mitigation features. If DDR4 memory is safer, that would only be because manufacturers are being more careful about their newer memory, such as by implementing rowhammer mitigations internally within the DRAM modules.

For DDR3:

As far as I know, there are no public lists, either official or unofficial, of which DDR3 DRAM parts have the rowhammer fault and which don't. The DRAM manufacturers haven't published any lists, and no-one has compiled any unofficial lists yet.

You could try asking DRAM manufacturers directly, but I don't know how helpful they would be.

If you pick a DRAM module that you're considering buying, you could try looking up the part number on the manufacturer's web site. In some cases, you can get the SPD data for the module. There's a "MAC" (Maximum Activation Count) field in the SPD data. If MAC="Unlimited", that's supposed to mean "known to be rowhammer-free". However, the status of this MAC field in the DDR standards is not really clear. (For some background, see this post.)

Mark Seaborn
  • 161
  • 3
  • 1
    Hmm, DDR4 is said to contain some mitigation through TRR – see https://en.wikipedia.org/wiki/Row_hammer#Mitigation . After asking this question and subsequent waiting, I've just tried to buy some RAM and test it. It should arrive today. – v6ak Aug 24 '15 at 08:45
  • Unfortunately, while this might be valid, it seems to be very hard to find those results. Maybe date of RAM release will help. – v6ak Aug 31 '15 at 16:58
  • The article https://en.wikipedia.org/wiki/Row_hammer#Mitigation does not actually cite any sources that say that the DDR4 standard includes TRR, so you should treat the article's claim with scepticism. – Mark Seaborn Sep 01 '15 at 17:51
  • How hard would it be for a motherboard to include a simple "address scrambling" circuit whose parameters were set by the BIOS on startup and not otherwise software accessible? Even something as simple as a 4x16 RAM which held four values (selected using bits 0-1 of the row number) that would be xor'ed with the row number fed to the DRAM would seem to make it impossible for software to know what addresses would map to rows above and below a row of interest. – supercat Sep 09 '15 at 21:20
  • @supercat: Address scrambling could help protect against double-sided hammering, but it does not help protect against single-sided hammering. We can already do single-sided hammering just by picking random pairs of addresses, without knowing what those addresses map to. (See http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) – Mark Seaborn Sep 09 '15 at 23:54
  • @MarkSeaborn: Address scrambling wouldn't guard against single-sided hammering, but the things I've read suggest that single-sided hammering is nowhere near as effective as double-sided. – supercat Sep 10 '15 at 00:02
  • 3
    According to [researchers](http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/), "110 out of 129 DDR3 models and eight out of 12 DDR4 varieties" which were tested were vulnerable to Rowhammer. So "DDR4 is 75% not OK" seems to be closer to the truth. – l0b0 Sep 02 '16 at 12:58
  • @MarkSeaborn LPDDR4 has it, not DDR4 in general. – forest Nov 23 '18 at 03:37
  • @forest: Your comment saying "DDR4 in general" suggests that LPDDR4 is a version of DDR4, or vice versa, which is not actually the case. They just share the number "4" and were specced at similar times (but not the same time). You might know that already; I just want to make sure other people understand that too. – Mark Seaborn Nov 28 '18 at 19:38
  • @MarkSeaborn Sure, and likewise GDDR4 is not based on DDR4 either. I just meant that LPDDR4 does have it (supposedly), whereas DDR4 may or may not have it, depending on the manufacturer. – forest Nov 29 '18 at 07:15