However, for the past ten years we’ve been studying an exploit that refuses to go away, and defies every countermeasure cooked up by the industry. This exploit is called Rowhammer.

This OSR tech deep dive will explain what Rowhammer is, the exploits that have been performed so far, and plans that the security community has to slow down or stop this impressive technical exploit.

Rowhammer is essentially a hardware issue; a symptom of humanity’s own advancement in the field of memory density. DRAM has become so tightly packed that each row of bits is tucked right up against the next row. This is a necessity if we want small form factors for the memory that fits into our computers, IoT devices, servers, and routing hardware.

The Rowhammer attack takes advantage of this tightly packed bit array by causing sympathetic bit flipping in adjacent rows of memory. By flooding memory with write requests, errors occur in the next row of memory. Similar conditions have been observed in the human brain: Sympathetic neuron firing. For the most part, we’re as helpless to stop that phenomenon as we are a Rowhammer attack. At least for now.

The reason why these sympathetic bit flips are possible is because the world still relies heavily on magnetic storage. We as a computing community have standardised (primarily) on magnetic charges that represent 1s and 0s in the language of binary.

This means that with enough manipulation, an attacker can change the memory of any device that allows a user to change the memory in specific ways. Depending on the device, bits could be flipped in a web server’s back end. Or in a firewall’s ham list. Or in any number of devices that use authentication tables.

This eventually leads to enough holes being poked in the system to shatter even the most carefully crafted defence. Soon enough, the Rowhammer attack can take over an admin account and install whatever the hacker wants on the device. They’ll be able to throw the device into promiscuous mode and monitor the network for more servers and network appliances that are vulnerable to Rowhammer. With time, the hacker can take complete control of a company’s infrastructure and not leave a single log entry in their wake.

DDR4 has already been busted by the SMASH variant of Rowhammer. All of the marketing behind DDR4 said that this was impossible. That, sadly, wasn’t the case.

The AMD Zen 2 and Zen 3 systems had a promising feature called Target Row Refresh (TRR), supposedly a formidable defence against Rowhammer. But as Hacker News reports, the ZenHammer variant now bypasses those defences. That also means current versions of DDR5 are, in technical terms, cooked.

Another 2024 development is Rowhammer defeating a high end RISC-V CPU, thanks to researchers from ETH Zurich.

If this all seems like grim news, rest assured that there’s a glimmer of hope around the bend. Rambus’ RAMPART memory remapping system is theoretically effective against current Rowhammer attacks. And JEDEC had developed an extended DDR5 spec that contains anti-Rowhammer features.

We’ve had these flashes of hope before, however. And year after year, Rowhammer has proven up to the challenge. The only solace is that the framework is difficult to implement outside of a lab environment, although it’s suspected that several governments have their own Rowhammer implementations operating in the wild.

If cyber insurance clients are interested in some technical suggestions that offer them an edge against Rowhammer, we would suggest the following techniques:

There are ways to detect ongoing Rowhammer attacks for a slight cost to their system’s performance. The key is to monitor for ‘cache misses’ and the appropriate alerts in their hardware performance monitors. Consider this for, at minimum, mission critical systems.

The reason that this kind of monitoring works is because Rowhammer attacks often cause uncached memory accesses. The hack operates at such high speeds, the system simply can’t keep up. It will be up to the client as to how many of these alerts constitute an attack, and who on their IT team should be alerted.

Another hedge against Rowhammer attacks is system virtualization. Adding an abstraction layer by running systems within a VM has proven to be effective against Rowhammer in the past. That’s because the memory of a VM is already being remapped by the hypervisor.

Similarly, increasing the memory refresh rate of critical systems is a strategy that can give clients more of a defensive edge against Rowhammer at the cost of power consumption and a minor degree of performance. Make sure they test these modifications during a maintenance window, to see the exact impact before going live with the new configurations.

In the future, reliable non magnetic memory and storage might be a real possibility. Holographic memory and storage are already in development. But we’re not quite there yet.

One of the benefits of cyber insurance is that, by its very nature, it offers coverage against ‘emerging’ attack vectors. In other words, the client doesn’t necessarily have to know the nature of the attack in order to make a claim, they just need to know that they suffered losses because of a cyber security incident.

Brokers can stay up to date on underwriting standards by participating in OSR’s broker training programme. This will help them to make cyber risk assessments based on a client’s overall preparedness and their exposure profile.

Although Rowhammer is a complex subject, we’re more than willing to talk to brokers about how new developments might impact the world of cyber insurance. Simply contact us and let us know your concerns.