Once Thought Safe, DDR4 Memory Shown To Be Vulnerable To 'Rowhammer' (arstechnica.com)

← Back to Stories (view on slashdot.org)

Once Thought Safe, DDR4 Memory Shown To Be Vulnerable To 'Rowhammer' (arstechnica.com)

Posted by msmash on Saturday March 19, 2016 @05:00AM from the leaking-memory dept.

An anonymous reader writes from an Ars Technica article: Physical weaknesses in memory chips that make computers and servers susceptible to hack attacks dubbed "Rowhammer" are more exploitable than previously thought and extend to DDR4 modules, not just DDR3, according to a recently published research paper. The paper, titled How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware (PDF), arrived at that conclusion by testing the integrity of dual in-line memory modules, or DIMMs, using diagnostic techniques that hadn't previously been applied to finding the vulnerability. The tests showed many of the DIMMs were vulnerable to a phenomenon known as "bitflipping," in which 0s were converted to 1s and vice versa.

31 comments

Min score:

Reason:

Sort:

Pratchett's Woodpecker by spiritplumber · 2016-03-19 05:01 · Score: 1

I know it's a problem, but love how this works. Wonder if it was around when Going Postal was written.

--
Liberty - Security - Laziness - Pick any two.
1. Re:Pratchett's Woodpecker by Anne+Thwacks · 2016-03-19 08:36 · Score: 0
  
  It has been around as long as semiconductor memory has been around. And not just in DRAM. Static memory, including on-cpu cache can have it. It is a well known potential defect that should be tested for during manufacture.
  Some manufacturers cheat.
  
  --
  Sent from my ASR33 using ASCII
2. Re:Pratchett's Woodpecker by Megol · 2016-03-19 09:31 · Score: 0
  
  Bullshit. The cheat part that is, that nearby signals can interfere is true but trivially so. Water is wet, signals can interfere - so what?
  The problems isn't caused by cheating and implying that not only confuses people but also takes away the important lesson that computers are complex on many levels and that avoiding bugs is f-king hard.
  [And that critical systems should have ECC in hardware, software or preferably both]
Names by Anonymous Coward · 2016-03-19 05:04 · Score: 0

Why does every exploit need a trendy name? Rowhammer, Superfish, Heartbleed, etc. just sound dumb.
1. Re:Names by peragrin · 2016-03-19 06:50 · Score: 2
  
  Have you ever heard of hacking groups that didn't have trendy names?
  Also rowhammer is what it does. It is descriptive.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:Names by Zero__Kelvin · 2016-03-19 07:13 · Score: 2
  
  Because Bit Tickler sounds like a marital aid?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:Names by Anonymous Coward · 2016-03-19 14:16 · Score: 0
  
  You sure did. If you had a proper cock, you would have rubbed her tonsils raw.
4. Re:Names by skids · 2016-03-19 17:09 · Score: 1
  
  Mostly only the newsworthy ones get them, ones that need widespread attention even for administrative domains that can't afford a dedicated security person/department. It's a lot easier to give them names then have meetings saying "where do we stand on CVE-year-four-digit-number" simply because the human brain wraps around names better. Especially if a clue as to the shape of the exploit is embedded in the name, serving as a mnemonic -- e.g. HeartBlead is used to blead information from heartbeat exchanges.
  
  --
  Someone had to do it.
5. Re:Names by Anonymous Coward · 2016-03-20 13:27 · Score: 0
  
  You sure did. If you had a proper cock, you would have rubbed her tonsils raw.
  lol good one
duplicate by Anonymous Coward · 2016-03-19 05:05 · Score: 0, Offtopic

Slashdot...always late as usual... no wonder everybody goes to HackerNews.
So why haven't you promoted my submitted story from yesterday? https://slashdot.org/submission/5686403/rowhammer-attack-now-works-on-ddr4-memory
We need a cartoon to demonstrate the bit flipping by JoeyRox · 2016-03-19 05:25 · Score: 1

https://www.youtube.com/watch?...
Re:frost 4ist! by KiloByte · 2016-03-19 06:09 · Score: 4, Funny

goat.cx
Warning! Do not click this link -- it's an advertisement for a sleazy domain peddler rather than a bona-fide goatse mirror.

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The only safe device by JustAnotherOldGuy · 2016-03-19 06:40 · Score: 1

I'm convinced that the only safe device these days is a Speak 'N Spell. (I heard the Etch A Sketch is vulnerable to "vibration-hacking" and "elbow-jogging" attacks by annoying younger brothers and sisters.)

--
Just cruising through this digital world at 33 1/3 rpm...
Ha ha I'm safe by JustAnotherOldGuy · 2016-03-19 06:41 · Score: 3, Funny

Ha ha, I'm safe because I'm still using 16-pin DIPs in my PC XT. Suck it, hackers!

--
Just cruising through this digital world at 33 1/3 rpm...
Is this DIMM specific or is it IC specific? by Anonymous Coward · 2016-03-19 06:43 · Score: 0

Do they have information on which ICs were used in the DIMMs?
Not an exploit... by Anonymous Coward · 2016-03-19 06:54 · Score: 0

This is just a characteristic of modern memory. If you run "good" quality memory
at its rated speed, timing, and voltage, you'll get random errors - even after memtest.
I've discovered that if I increase the ram's voltage, I can eliminate these faults w/o
playing with any of the timing, etc.) I do *a lot* on my box that persists (as opposed to
a game where a flipped pixel will not be noticed), so I was actually able to consistently
reproduce the error. Not saying upping the voltage is everybody's answer, but it seems
the stock 1.5 volts is too low for the density of these chips.
CAP === 'picking'
1. Re: Not an exploit... by Anonymous Coward · 2016-03-19 16:11 · Score: 0
  
  It's why the general consumer market should be using using ECC as part of the default standard. its one thing to have a odd display glitch, it's quite another to have data corrupted in RAM and then be commited to disk.
1001001 in distress? by Zero__Kelvin · 2016-03-19 07:14 · Score: 1

Getty Lee is already well aware of this pattern!

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
1. Re:1001001 in distress? by pepsikid · 2016-03-19 15:11 · Score: 1
  
  Dude, that's Geddy Lee, as in, how his Polish granny pronounced his birth name "Gary Lee Weinrib".
2. Re:1001001 in distress? by pepsikid · 2016-03-19 15:13 · Score: 1
  
  Er, his momma, anyway.
Fix? by MichaelKaiserProScri · 2016-03-19 14:17 · Score: 1

Wouldn't a fairly simple fix be to make it so that consecutive rows in the RAM do not correspond to consecutive memory addresses? The virtual memory manager is already serving up the physical RAM in 4k pages. Right now the rows within the 4k page are consecutive, but any given block of RAM bigger than 4k may actually be comprised of pages from anywhere in the physical RAM. If you reordered the rows within the 4k page at a hardware level it would be difficult to know which rows were actually consecutive. Potentially use a different order for each page. If done on a hardware level this would add a tiny bit of overhead, but not that much. Basically you would need a mapping table that could translate a 12 bit value into some other 12 bit value.
1. Re:Fix? by Anonymous Coward · 2016-03-19 21:24 · Score: 0
  
  Yes, but that would make it harder for operating systems to protect against this kind of exploit once someone actually figures out a viable attack.
  With consecutive rows it is just a matter of allocating buffer pages between different programs allocation to prevent one form accessing another.
  Scatter the addresses around and that method will be a lot more complex. Exploit programmers will however still be able to target a specific system.
2. Re:Fix? by mathew7 · 2016-03-19 23:26 · Score: 1
  
  Actually, just switching the LSBs from the row address would be enough, with the manufacturer hiding it (or even better: randomizing).
  Since "researching" for this, I saw some information that they already have a mapping for production yelding; which is logical, as you can get more chips with target-size+10% and 91% working (100 from 110) than target-sized and perfect. But I think they currently just "skip", instead of re-arrange rows.
  Also, the individual chips which eventually feed the 64-bit bus (with 512bits in 1 DDR3 cycle) could be configured differently (so 2 consecutive rows as seen by the CPU could have only some physical adjacency...think about modules with 8 or 16 chips).
3. Re:Fix? by mathew7 · 2016-03-19 23:35 · Score: 1
  
  I don't support making a SW protection in the 1st place. It just adds complexity which could open another door. SW is NOT the answer to everything.
4. Re:Fix? by Anonymous Coward · 2016-03-21 05:18 · Score: 0
  
  I read the original article back when it was first published. The exploit does not rely on knowing how things are laid out in RAM. It allocates a massive TLB, then hammers RAM as hard as it can until it gets lucky and flips the right bit in the TLB to give itself write access to its own TLB. From there, you own the machine.
Never had this happen by Chirs · 2016-03-20 15:57 · Score: 1

As far as I know I've never had this happen on any of my machines. Laptops, tablets, Android media boxes, or desktop. It just hasn't been an issue.