Slashdot Mirror

← Back to Stories (view on slashdot.org)

Once Thought Safe, DDR4 Memory Shown To Be Vulnerable To 'Rowhammer' (arstechnica.com)

Posted by msmash on from the leaking-memory dept.

An anonymous reader writes from an Ars Technica article: Physical weaknesses in memory chips that make computers and servers susceptible to hack attacks dubbed "Rowhammer" are more exploitable than previously thought and extend to DDR4 modules, not just DDR3, according to a recently published research paper. The paper, titled How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware (PDF), arrived at that conclusion by testing the integrity of dual in-line memory modules, or DIMMs, using diagnostic techniques that hadn't previously been applied to finding the vulnerability. The tests showed many of the DIMMs were vulnerable to a phenomenon known as "bitflipping," in which 0s were converted to 1s and vice versa.

15 of 31 comments (clear)

  1. Pratchett's Woodpecker by spiritplumber · · Score: 1

    I know it's a problem, but love how this works. Wonder if it was around when Going Postal was written.

    --
    Liberty - Security - Laziness - Pick any two.
  2. We need a cartoon to demonstrate the bit flipping by JoeyRox · · Score: 1

    https://www.youtube.com/watch?...

  3. Re:frost 4ist! by KiloByte · · Score: 4, Funny

    goat.cx

    Warning! Do not click this link -- it's an advertisement for a sleazy domain peddler rather than a bona-fide goatse mirror.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. The only safe device by JustAnotherOldGuy · · Score: 1

    I'm convinced that the only safe device these days is a Speak 'N Spell. (I heard the Etch A Sketch is vulnerable to "vibration-hacking" and "elbow-jogging" attacks by annoying younger brothers and sisters.)

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Ha ha I'm safe by JustAnotherOldGuy · · Score: 3, Funny

    Ha ha, I'm safe because I'm still using 16-pin DIPs in my PC XT. Suck it, hackers!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  6. Re:Names by peragrin · · Score: 2

    Have you ever heard of hacking groups that didn't have trendy names?

    Also rowhammer is what it does. It is descriptive.

    --
    i thought once I was found, but it was only a dream.
  7. Re:Names by Zero__Kelvin · · Score: 2

    Because Bit Tickler sounds like a marital aid?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. 1001001 in distress? by Zero__Kelvin · · Score: 1

    Getty Lee is already well aware of this pattern!

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:1001001 in distress? by pepsikid · · Score: 1

      Dude, that's Geddy Lee, as in, how his Polish granny pronounced his birth name "Gary Lee Weinrib".

    2. Re:1001001 in distress? by pepsikid · · Score: 1

      Er, his momma, anyway.

  9. Fix? by MichaelKaiserProScri · · Score: 1

    Wouldn't a fairly simple fix be to make it so that consecutive rows in the RAM do not correspond to consecutive memory addresses? The virtual memory manager is already serving up the physical RAM in 4k pages. Right now the rows within the 4k page are consecutive, but any given block of RAM bigger than 4k may actually be comprised of pages from anywhere in the physical RAM. If you reordered the rows within the 4k page at a hardware level it would be difficult to know which rows were actually consecutive. Potentially use a different order for each page. If done on a hardware level this would add a tiny bit of overhead, but not that much. Basically you would need a mapping table that could translate a 12 bit value into some other 12 bit value.

    1. Re:Fix? by mathew7 · · Score: 1

      Actually, just switching the LSBs from the row address would be enough, with the manufacturer hiding it (or even better: randomizing).
      Since "researching" for this, I saw some information that they already have a mapping for production yelding; which is logical, as you can get more chips with target-size+10% and 91% working (100 from 110) than target-sized and perfect. But I think they currently just "skip", instead of re-arrange rows.
      Also, the individual chips which eventually feed the 64-bit bus (with 512bits in 1 DDR3 cycle) could be configured differently (so 2 consecutive rows as seen by the CPU could have only some physical adjacency...think about modules with 8 or 16 chips).

    2. Re:Fix? by mathew7 · · Score: 1

      I don't support making a SW protection in the 1st place. It just adds complexity which could open another door. SW is NOT the answer to everything.

  10. Re:Names by skids · · Score: 1

    Mostly only the newsworthy ones get them, ones that need widespread attention even for administrative domains that can't afford a dedicated security person/department. It's a lot easier to give them names then have meetings saying "where do we stand on CVE-year-four-digit-number" simply because the human brain wraps around names better. Especially if a clue as to the shape of the exploit is embedded in the name, serving as a mnemonic -- e.g. HeartBlead is used to blead information from heartbeat exchanges.

    --
    Someone had to do it.
  11. Never had this happen by Chirs · · Score: 1

    As far as I know I've never had this happen on any of my machines. Laptops, tablets, Android media boxes, or desktop. It just hasn't been an issue.