Slashdot Mirror
SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com)
An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.
The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.
The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.
The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.
The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.
Let me guess. You hate the "experts" and the "elites"? Let's "tear it all down"? A hop and a skip from Trumpnik thinking, and look how that's going.
Wow you are thoughtless.
Because, you jackass, the discovery of flaws is what allows continuous improvements to be made. I mean, let's NOT find ways to make cars safer by readily exploring all opportunities to keep children safe in the event of a car crash. Let's NOT fund avionics to improve QOL where air flight is concerned. Let's NOT safeguard data to keep sensitive information that our enemies can use to dismantle our way of life our of their hands.
Why don't you tell us what you do that's "useful" on a day-to-day basis. And make it a good one, because it's gotta be something that benefits society as a whole.
What with you being so elite and all.
No, SJWs are even worse.
Such as waiting for state-sponsored cybercriminals or intelligence agencies to discovery these things first, or someone to unintentionally trip them with a programming error?
Exactly. Something useful.
... what do you think is used to store data in car electronics?
Somebody needs to get rid of this 1100100001000 troll. Too boring for the internet.
unlike his moms car, this..in theory...could be fixed, make the logic perfect and it in theory will work forever.
*remembers when software was proven
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over? (Kind of like the bad old days of exceeding your RAM and thrashing everything to a page file as your heads go CLICK CLICK CLICK CLICK.)
Come to think of it, I wonder if you could VARY the read/write speed of a hard drive by changing your write patterns. So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.
It doesn't matter if platter drives are vulnerable, since they're already being phased out
It's not a real world worry at all, with one exception. If someone wants to slowly fuck your data without it being obvious, then this might be a way to do it.
But it also is worthless against most Enterprise grade storage arrays, and is most likely easily prevented with drive firmware updates.
It might be a worry for providers who rent out servers.
your a doosh
Ending your life would be a useful endeavor furthering human understanding.
Because of this comment, you should not be allowed to benefit from SSD drives that aren't vulnerable to these attacks. Maybe a bit would be flipped in your bank account balance, or at least a critical part of your computer's partition table.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Mya Doosh? Whoosa Doosh?
SJWs are all bigots tho, why repeat what he said?
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device.
All of the worlds computers /w SSDs are single-user systems.
Come to think of it
Maybe you shouldn't.
Like post worthless shit on Slashdot?
I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over?
The heads already scream back and forth on normal operation. If you create write patterns that increase head moves, I do not expect to see something else that trashed I/O performances.
TFA is not very detailed, it seems the journalist had a hard time explaining what the scientists did. Anyone has a better link?
We used to do that ON PURPOSE. It's wasn't mechanical failure, it was an undocumented feature. http://www.catb.org/~esr/jargo...
Why don't these "commenters" find something useful to say?
All of the worlds computers /w SSDs are single-user systems.
Uh, no they aren't. Pretty much everything in Digital Ocean, AWS, Azure is using *some* SSD storage. Then there are enterprise servers - pretty much everything I've used in the last two years has some kind of SSD storage, if not all SSD (even in many big data applications).
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
Assuming you got access to anything valuable with the process you're running as. The point of rowhammer was that you could flip bits in other processes, Imagine for example if you have found an exploit in the web server but all it has access to is public files but you could flip the permission bits on /etc/passwd to be world readable that would be a pretty big exploit. If you can use a "harmless" service running as a non-privileged user to create a denial-of-service attack, that surely has some value too.
Live today, because you never know what tomorrow brings
Too poor to purchase a ssd eh? Hehe. Go sweep the floor loser.
I don't think that has a realistic chance of working -- filesystems tend to write file contents in difficult to predict geographical locations.
I think what would be more realistic is using this as a hypervisor escape.
Even then, I'm curious how this attack is supposed to work now that most SSDs use wear leveling.
Dear 110010001000:
Thank you for your interest in joining the Gay Wigger Admirers of Donald (GayWAD)! GayWADs worldwide are happy that you'd like to become part of our
constantly enlarging member ship (come sail away 8=====D~)
Unlike other fraternities you might have heard about, GayWAD accepts members of all races, creeds, and colors, as long as you're a white Christian male. As our founders stated in the Annals of GayWAD, Chapter 8: "You don't have to be capable of critical thinking, as long as you like it Greek." They were, of course, referring to the Russian penis in your anus style of sexual relations. Don't despair, as attaining full fabulous lifetime status in GayWAD is easy. The only prerequisites for membership in Gay Wigger Admirers of Donald are that you meet all of the following conditions:
To submit your official Gay Wigger Admirers of Donald membership application, simply do nothing. Congratulations, you're now a GayWAD! Your membership kit* is on its way**.
If you require a specific membership number for purposes such as framing, docking, or prestigious inclusion upon your VKontakte profile and coal-mining uniform, please take down this number: 69.
Optionally, you may complete the following survey by replying to this post, indicating affirmative responses with an X in each appropriate box:
GayWAD Membership Survey (OPTIONAL)
[ ] I am secretly gay, but hate gay people because Donald does
[ ] I am a wigger, but hate non-white people because Donald does
[ ] I have used BREITBART.COM to find a sex partner
After completion of this optional survey, your Slashdot post ID shall serve as your unique Gay Wigger Admirers of Donald membership ID.
*Sorry, GayWAD membership kit no longer includes Ivanka Trump brand panties.
**Arrival not guaranteed due to cuts in Postal Service budget.
Assuming the bank stores the balance as 32-bit, I have a pretty good chance of that working out really well for me.
ZFS on LUKS containers. First LUKS would refuse to read a block that failed integrity check. And if in some weird fantasy universe that doesn't happen, ZFS will definitely spot the corruption and oh, hey, autocorrect it.
So, uh... WhatHammer now?
That's a real garbage answer.
“Common sense is not so common.” — Voltaire
Your level of maturity was self discovered also.
Yesterday, Intel released SSD firmware update 2.2.1. In the Release Notes section for my 600p, they included /"Data miscompare caused by intermittent data corruption during heavy write workload with small file transfer size."/
That sounded pretty odd until just now.
In this case there isn't really any way to improve them. Read and write disturbs are a well-known phenomenon that can't be solved at the physical level. That's why bits stored in flash are distributed in space and time, with both the hardware and the flash controllers acting to minimise the problems due to disturbs. My guess is that these guys reverse-engineered the mechanisms used for one particular flash technology and figured out the access patterns needed to induce disturbs.
The workaround would be to use a different random seed for access-pattern randomisation on each device, so you can't leverage information obtained for one device to attack all other devices in that class.
No kidding, you can spray against bedbugs.
In other news SSDs are susceptible to actual hammers as well, no work around has been found.
Since time immemorial, experience has shown that errors creep into data from every level of the storage stack, wether by media defect, transmission error, firmware bug, cosmic ray, unstable power supply, or whatever. The list goes on, and this flaw which allows intentional damage to NAND flash is just one more case that proves the value of end-to-end checksums.
That only effective precaution is to checksum the data as soon as possible, and use memory and storage with enough redundancy to correct errors as necessary. ZFS does this automatically, and used in conjunction with ECC memory, minimizes the opportunity for data corruption.
Perfect storage hardware does not exist; it is the job of the storage system to be tolerant of the inevitable faults, and still return the data that was originally written. The only exception is Apple hardware, which is protected by the RDF, and asserted to be perfect. This allows Apple to avoid the minor overhead that data checksums would impose on their new APFS filesystem, and the gamble with your data still improves their bottom line.
No. The elites with the balls to actually spend the time in the books build the systems that vatniks and Trumpniks scratch their chins and fail to understand, let alone break. That's how they become the "elites."
You want to tear them out and replace them with your fellow morons? Enjoy the aftermath.
NAND read disturbs are well understood by the NAND vendors and SSD controller manufacturers. SSD drives from reputable vendors are engineered to deal with it, just like they are engineered to handle NAND wear-out, and bad-blocks. Micron published a document a decade ago discussing it (see TN-29-17 )
Oh I've heard about those. They're fast right?
Are you going to go over to the ATM Machine and enter your PIN Number so you can buy an SSD Drive?
Some banks still store it as Text, How much is T Dollars?
There is no real world practical worry for this.
This hack relies on the ability to rewrite specific pages in NAND flash. In fact, the attack is well known in NAND flash - read and write disturbs are documented issues with NAND flash since the beginning. Every NAND flash datasheet mentions how you can and cannot program it in order to minimize the probability of disturbs. It's why NAND flash has the "spare area" - because even following the recommendations (always program from page 0 through consecutive pages, never skip around and always program full pages at a time) you will encounter a disturb event eventually.
Now, this requires raw NAND access. But practically all flash memory your PC uses is managed. The SSD has a controller on it sitting between the SATA or PCIe bus and the raw NAND flash. Even memory cards are managed - CompactFlash, SD/MMC, Memory Stick are managed. Only the xD and SmartMedia actually are raw NAND (the controller is in the interface) formatted in special ways.
And managed memory means you can't access the raw media because the management controller is doing its very best to mitigate flash memory drawbacks (like limited program-erase cycles) and problems (like read/write disturbs) by using such fancy technology as wear-levelling. This way even if you write to the same sector always, it's actually walking around the physical media so no part of the actual flash chip is getting more worn out than the others.
And modern SSDs have so much state in them that knowing where your write actually goes in the physical storage array is impossible to know - you need to know the exact state of the array including the states of all the pages (good data, dirty data, ready to be erased, etc). because when it comes time to garbage collect and all that, all the previous state is important as it influences the new state. (And all this contributes to write amplification - where writing N bytes actually causes N+M bytes to be written because of flash management).
I'm not impressed with the findings, since I read all about them in a Toshiba (inventor of NAND flash) application note over a decade ago. It's exactly what Toshiba said would happen and why you need to follow the rules (which every managed controller does).
To be more impressed, they need to demonstrate the results using every day SSDs instead of special test and development boards that let them abuse the raw NAND.
Encryption at rest seems to be getting standard these days - I'd guess it would mitigate some of the risks?
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
What if you're running a virtual instance on a cloud platform, and somebody else is running another virtual instance on the same platform, sharing the same physical memory and SSD ?
Why don't you tell us what you do that's "useful" on a day-to-day basis. And make it a good one, because it's gotta be something that benefits society as a whole.
His endless trolling provides lulz to Slashdot users the world over.
The link summarizes a paper presented 4 months ago in the HPCA'17 conference in Austin, why is this "news" now?
Encryption at rest seems to be getting standard these days - I'd guess it would mitigate some of the risks?
Yes, yes it would. Absolutely. But only if you use an expensive proprietary implementation, running on a industry-grade undocumented security processor, and store the private key on a third party server. As long as data is encrypted, its perfectly secure even against data-corruption attacks, yup.
Then this attack would be impossible obviously. You need direct access to the hardware in order to control the bit pattern. In the scenario you are talking about you are using a filesystem to write data, and one of several kernels as well. Your reads and writes are cached by the OS and you have no control over the order of your reads and writes and the reads and writes of the other virtual machines. Your memory writes, while they appear to be at linear ranges you specify, are virtual. That's why it is called virtualization. You are never sharing the same memory. If you were running things they way you think, you could crash your instance and every other instance on the system with a simple C program run as root that dereferences a "properly" initialized pointer, or writes to a location of "interest" such as the stack of the disk drive interrupt routine. Virtual machines would be crashing left and right because the other guy was malicious, or more likely, incompetent.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
OTOH he's not wrong. Spinning platter drives aren't exactly like some old C64 still doing work at an old car shop.
They wear out and has to be replaced. A five year old drive might still chug on happily. A ten year old drive is an accident waiting to happen.
Sure, they SSD you replace them with will also wear out, but that doesn't change the fact that replacements will happen.
You are not wrong, but your comment brought up an unrelated but mildly interesting question.
Is it really correct to call it a "geographical location" in this case? Unless you mean a distributed filesystem where the file content may be stored in different buildings, or even cities, I feel that "spacial location" would be more correct.
However, would it be correct to say that something exists and different geographic locations in one of the following cases?
a) The difference is only in altitude. Does vertical movement change the geographic location?
b) The difference on a geographic scale is insignificant; only an inch apart.
c) The difference is constantly switching. On a spinning platter two point of opposite sides of the platter will swith location with each other every half revolution. Sure, they are at different locations, but are they really at different geographic locations? By the time you have read this sentence the two points have occupied the same position several times over.
I wonder if full disk encryption would mitigate this problem on SSDs. If properly implemented, flipping a row of bits would be useless without the encryption key. It doesn't solve the data corruption issue but at least you won't be able to change the data in a deterministic way.
Rowhammer in RAM is another beast though...
These effects are well-known, and the entire point of a "flash translation layer" is handling them. SSDs verify and recopy data periodically. And since flash storage uses extensive ECC (precisely because it's known to have a non-negligible error rate), such corruption will be detected. It's virtually impossible to have this generate an undetected error of the sort that makes rowhammer such a problem.
In a badly engineered drive, it may be possible to design an access pattern which leads to data loss, but a denial of service is a lot less significant than the things rowhammer can do.
In this case there isn't really any way to improve them.
The workaround would be ...
your lack of induced logic is disturbing
These are product defects. Stop using this terminology that some marketing department came up with to avoid having to do an expensive call back on their RAM products.
Storage access is mediated on so many levels that even vendors have a hard time identifying whether even relatively simple performance problems are the result of an application, the application subsystem (databases), the operating system, the network system, the storage system, the storage fabric or the computer system.
I don't see how it would ever be possible to exploit this, especially when the flash vendors are aware of it and the closest software levels of the hardware are deliberately written in ways to inhibit it.
"Writing this data repeatedly and at high speeds causes errors in the SSD"
Why is this allowed to happen? Why isn't the write speed limited if abusing it can cause errors? How can this be an allowed operation? Since the drive is under complete control of its own firmware, why is this operation allowed to proceed or even take place?
"an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops"
As above, why is this even allowed to occur?
I'm no expert on SSD functionality, so I'm baffled why the drive would be permitted to do this in the first place. Can someone explain this to me?
Just cruising through this digital world at 33 1/3 rpm...
Yes and no. That sort of storage is virtualized at least a couple if times. The only way to take advantage of this flaw is if you have a dedicated raw mapped device, in which case it's your own storage you're trashing.
ha ha, enjoy your being downvoted to oblivion, which is well deserved for a dumbfuck like you.
why don't YOU find something useful to do? I know the opportunities to do so in mommy's basement are limited, but still...
Then you have even less chance of triggering this kind of behavior.
The only place this is even a concern is if the CIA or NSA sneaks into your nuke research facility and reprograms all the firmware on your SSDs so that it can be slowly used to wear your drives out faster than normal.
So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.
Although this would be interesting, just like the SSD exploit, I'm not sure how useful it would really be in the real world. Drives are pretty cheap. Loss of data is the big deal and if you have physical access to the system then randomly writing to the drive or formatting the drive seems like the simplest and easiest way to destroy the data.
What an uninformed and useless opinion.
Sorry you got triggered snowflake, but this is SSD drives, not your mommy's car.
It appears that 110010001000 does not know what SSD's are used in, thus why this is an important flaw.
But that only reminds me that he posts on a variety of topics that are beyond his understanding.
Welcome to Slashdot, 110010001000, you belong with us.
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device.
All of the worlds computers /w SSDs are single-user systems.
Come to think of it
Maybe you shouldn't.
Not sure if you're being sarcastic or not.
The hospital where I worked uses boatloads of SSD's for storage of data, software, and virtual machines in EMC and EMC-like boxes.
Flipping bits in a Word is annoying, but flipping bits in shared-source virtual machines would wreak havoc on an environment.
It's not the directed attack against some code or data that's the threat (I don't believe it could be done to data in SSD storage arrays), but rather a random flipping of bits to cause corruption as part of an extortion attack.
So please inform me where I now can purchase all these new shiny SSDs to replace all the 8TB disks that we have in our array cabinets. And that without having to pay more for a single of those new drives than 100 or so of the old ones...
About 8 years ago, you could easily find SPI flashes that exhibited this issue. (Basically NAND flashes packaged to act like NOR, and not using any ECC bits)
It was a pain in the ass to get the vendor finally own up to it.
How the fuck does anyone offer NAND storage without error correction? WTF?!
A successful API design takes a mixture of software design and pedagogy.
There is no real world practical worry for this.
I had the same reaction to "row hammer" when it first came out. It only took a month for someone to find a way to exploit it in a normal system.