ZenHammer: Rowhammer attacks on AMD Zen-based platforms
DDR5, On-Die ECC, and “Fragility” of Modern DRAM
- Several comments note DDR5’s on-die ECC is required to make the technology reliable at its higher densities and speeds.
- Some argue this isn’t a “negative” but part of a general trend: all storage becomes probabilistic and then corrected with math.
- Others describe DDR5 as “fragile” because cell sizes and timing margins are pushed so hard that some bits would otherwise fail; ECC is used instead of backing off performance/density.
- There’s debate whether DDR5 is “mostly fixed” for Rowhammer; the paper shows bit flips on at least one DDR5 device, but attacks were only successful on 1/10 tested DDR5 modules and need further research.
Rowhammer as a Physical Phenomenon and Threat Model
- Rowhammer is framed as a DRAM physics problem: repeated accesses to one row cause charge leakage and bit flips in neighboring rows.
- Smaller, denser, closer cells make attacks easier but also make RAM cheaper, faster, and more efficient.
- Some say this is an “inevitable” outcome of industry-wide pressure for density and cost, not just “profit-maximizing negligence.”
Real-World Risk for Normal Users
- Many argue average users are unlikely to be directly impacted; typical attacks against them are simpler software exploits and malware.
- Others stress that Rowhammer and similar bugs have been demonstrated from JavaScript in browsers, in VMs, phones, and even over networks; the lack of observed mass exploitation doesn’t mean zero risk.
- Script blocking (NoScript, uBlock, JS-by-default-off) is discussed as a practical mitigation, though some find it too inconvenient.
ECC as Mitigation
- Strong consensus that ECC significantly raises the bar: many single/double flips become correctable or crash the system, converting a stealthy exploit into an obvious reliability problem.
- Critics of “ECC doesn’t help” call that framing misleading; attack success then generally requires many machine halts or detectable error logs.
- A key caveat: ECC reporting and handling vary by platform; some desktop/consumer platforms correct silently or don’t surface counters via IPMI, though OS-level Machine Check handling still exists in many setups.
AMD/Intel ECC and Platform Choices
- Desktop AMD Ryzen has (now officially) ECC support, but whether it works depends on the motherboard. ASRock and ASUS are frequently cited as enabling it on AM5 boards.
- Laptop ECC is largely limited to expensive “mobile workstations” and Pro SKUs; recent AMD mobile generations had shifting, unclear ECC support in public specs.
- Unbuffered ECC DDR5 is significantly more expensive (often ~50–100% premium) and lacks factory overclock/XMP binning, so users may need manual tuning for performance.
- Threadripper supports registered ECC and is seen as great but overkill (cost, core count, PCIe lanes) for many home users.
Memory Encryption and Other Defenses
- Memory encryption (e.g., AMD SEV/Secure Memory Encryption) is said to prevent Rowhammer from turning into targeted data corruption; bit flips become random in ciphertext, likely causing crashes rather than controlled exploits.
- This can make systems less “graceful” (single-bit flips causing fatal errors) but more obviously broken, which is viewed as preferable from a security perspective.
Broader Security and Privacy Context
- Several comments contrast highly technical hardware attacks with the much larger, ongoing risks from pervasive tracking, data brokerage, and insecure IoT devices.
- Some argue society needs broad privacy regulation more urgently than ever-more-marginal mitigations for exotic hardware bugs.