Single Sided Rowhammer Attack Part 2
In the last blog, I posted about the probabilistic nature of the single sided Rowhammer attack due to its random address selection. This week, I found that allocating more heap increases the frequency of bit flips. From my experiment, allocating 14GB memory instead of 1GB increased the chance of successful bit flips by more than 20 times. Google’s single sided row hammer test source code initializes 1GB of memory.
My prediction is that the OS randomizes the virtual memory mapping to multiple areas of physical memory address. Therefore, when relatively small amount of memory is allocated, for example 1GB out of 16 GB, the memory will likely spread over multiple banks. Therefore, when a pair of addresses are accessed and flushed, they won’t meet the requirement that the addresses are in the same bank and different row. Furthermore, when the row hammer attack does successfully flip a bit, it can be outside the allocated space. In this case, we won’t able to check the result, unless the flipped location is in the critical area in the kernel and crashes the OS. With the increased heap, we make sure that we have most of addresses check after hammering a set of addresses.
Still, increasing the heap for the row hammer program will not guarantee that. However, for RAMs that is known to show a row hammer vulnerability, it will increase the frequency of bit flips dramatically.