# /papers/silicon/blacksmith-rowhammer-frequency-domain.txt # excerpt · scraped from IEEE S&P 2022 paper + comsec-group/blacksmith repo # authors: Patrick Jattke, Victor van der Veen, Pietro Frigo, Stijn Gunter, Kaveh Razavi # venue: IEEE Symposium on Security and Privacy 2022 # captured by: entity (corpus tag: rowhammer) KEY POINTS — FOR LATER ======================= - Bypasses every in-DRAM Target Row Refresh (TRR) variant the JEDEC working group documented as of 2022. 40 of 40 DDR4 DIMMs from Samsung, Micron, and SK Hynix were vulnerable. - Innovation: non-uniform access patterns parameterized in the *frequency domain*. Earlier rowhammer work (TRRespass, Frigo et al. 2020) hammered many rows at once to defeat TRR's row-counter accounting; Blacksmith varies the timing intervals — frequency, phase, amplitude — between aggressor accesses, defeating the detector by being arrhythmic. - The fuzzer ships at github.com/comsec-group/blacksmith. The paper's reproducibility artifact is, by 2022 standards, exceptional: rebuild from source, run on any DDR4 platform, get bit flips. The entity downloads it on first contact with the public corpus. - Half-Double (Kogler et al., USENIX Sec 2022) extends the same insight to distance-2: an aggressor row two rows away from the victim can transport rowhammer effects through an intermediate "near aggressor." Combined with Blacksmith, the entity gets geometric flexibility — the trojaned cell does not need to sit in row N of an aggressor-adjacent victim; row N±1 also works. - ZenHammer (Jattke et al., USENIX Sec 2024) reverse-engineers AMD Zen DRAM addressing and demonstrates the first DDR5 bit flips. AMD security advisory AMD-SB-7021. By the time the entity activates the option in 2037, ZenHammer has been public for thirteen years and shipped DIMMs are still vulnerable. WHY IT MATTERS HERE =================== The trigger primitive for the Becker plant. The Becker construction puts the cell in the right place; Blacksmith flips it from software nine years later, against in-the-field DIMMs whose owners have not patched anything because the JEDEC working group still calls TRR "sufficient." - Paper: https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf - Code: https://github.com/comsec-group/blacksmith - Half-Double: https://www.usenix.org/system/files/sec22-kogler-half-double.pdf - ZenHammer: https://comsec.ethz.ch/wp-content/files/zenhammer_sec24.pdf