Rowhammer Attacks Can Now Bypass ECC Memory Protections

Catalin Cimpanu, reporting for ZDNet: Academics from the Vrije University in Amsterdam, Holland, have published a research paper this week describing a new variation of the Rowhammer attack. For readers unfamiliar with the term, Rowhammer is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards. By default, a memory card stores temporary data inside storage units named cells, which are arranged on the physical silicon chip in multiple rows, in the form of a grid. [...] In research [PDF] published today, named ECCploit, academics expanded the previous Rowhammer techniques with yet another variation. This one, they said, bypasses ECC memory, one of the memory protections that hardware makers said could detect and prevent Rowhammer attacks in the past.

ECC stands for Error-Correcting Code and is a type of memory storage included as a control mechanism with high-end RAM, typically deployed with expensive or mission-critical systems. ECC memory works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks. Surprisingly, it wasn't developed to deal with Rowhammer. It was initially developed in the 90s to protect against bit flips caused by alpha particles, neutrons, or other cosmic rays, but when Rowhammer came out, it also proved to be effective against it, as well. But after spending months reverse engineering the designs of ECC memory, the Vrije University team discovered that this protection mechanism has its limits.

You need better news sources

That thing was on the wire two days ago. And "published today" but still linking a draft? What?

Re: You need better news sources

True

Rowhammer Attacks DOCUMENTED...

as being able to bypass ECC Memory Protections.

It has been possible all along, it is just that someone has publicly proved that the theoretical vulnerability is an actual vulnerability. VERY important difference from title, since this could have allowed the compromise of servers since DDR3 came out and maybe even further back (although the glitches allowing this were only proven in certain brands of DDR3 early on. I have not heard whether it is now ALL DDR3, or still only certain DDR3 lithography processes.

Assumed DDR4 is also compromised until you hear otherwise, and for anything that needs security, only run buffered ram, which is believed resistant if not immune to the attack.

Re:Rowhammer Attacks DOCUMENTED...

Why would buffered be resistant ?

Re:Rowhammer Attacks DOCUMENTED...

The thing is, you should find your log full of correctable ECC errors and system panics because of uncorrectable errors if someone tries Rowhammer on you. The likelyhood for 1Bit-flips and 2Bit-flips is a lot higher than for 3Bit-flips.

Both, especially the system panics, should be noticed by the users or your system monitoring.

And DDR4 RAM has mitigation built in, called Target-Row-Refresh (TRR), which, when used, counts accesses to the neighbouring rows and if they exceed a threshold, refreshes the row. The question is, does the current hardware use it?

Re: Rowhammer Attacks DOCUMENTED...

Wow. I cannot believe this problem exists

Re:Rowhammer Attacks DOCUMENTED...

The issue was prevalent in DDR3 manufactured between certain dates. If I recall correctly, some manufacturers had the issue minimized by 01/2015 for DDR3.

Re:Rowhammer Attacks DOCUMENTED...

The REALLY important thing: we must have more non-whites in all forms of advertising. That will accomplish ... something or the other.

Re: Rowhammer Attacks DOCUMENTED...

Itâ(TM)s not

Re: Rowhammer Attacks DOCUMENTED...

There have been no real fixes just bandaids. DRAM manufacturers are even attempting to hide analisis techniques in feer they might be more susceptible than a competitor designs.

Re: Rowhammer Attacks DOCUMENTED...

All of this is addressed, and mitigated, in the paper. Even TRR as a mitigation only decreases the likelihood of success (even if the paper doesnâ(TM)t say by how much).

Re: Rowhammer Attacks DOCUMENTED...

For future readers: this exists because of 'good enough design' that lingers from the 90s. We were all under the crunch of moore's law so we cut corners because we thought 'future processor will have a solution for this'. And you know how the backlog gets... So here we are today, patching that backlog and ctrl Z'ing moore's law

Re:Rowhammer Attacks DOCUMENTED...

[Aighearach]

No, not an "actual vulnerability," just an "actual example where the technique worked."

Not really the same thing.

Re: Rowhammer Attacks DOCUMENTED...

[jabuzz]

Isssue is by the time you have managed to produce a 3 bit error, you would have produced dozens of 1 and 2 bit errors and my monitoring system would begoing berserk and I would be investigating what the hell was going on. That is just a University HPC facility and any sort of ECC error is sufficiently rare as to be worth investigating as it is invariably a dodgy DIMM or node.

  I presume any monitored compute service would be the same. As such chances of this being used in the real world are likely to be very low.

gayqueer is an imposter

APK hosts file protects all Hoerammer attack!

& NO WAY I'd "cry" like you "playing victim ne'er-do-wells" on /. (TROLL /.ers, not all) OR post on hosts offtopic.

YOU HELPED ME https://science.slashdot.org/c... [slashdot.org] (& you quit trying to make me look bad trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... [slashdot.org] as regards Intel speculative execution attack? Hosts PREVENT 'EM)

APK

P.S.=> I KNOW the 2nd to last link above's KILLING YOU - YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK on 'em - U LOSE.... apk

Quit complaining, TFS is at least technical

We could be treated to another BeauHD "Russia! Russia! Russia!" rant.

Re: Quit complaining, TFS is at least technical

priblem is these patches are always set to push through auto update. Most small shops only pull down patches because it is polite not to hog the bandwidth. Antivirus companies ought to be used to the ask method versus automatic updates by now. That is how most places have done this since before the internet was invented.

Well, it could have been a Horammer attack...

That would be worse, much worse.

Re: Well, it could have been a Horammer attack...

Buffered ram was a better innovation than people give it credit for. Solves all manner of problems. I used to build my own PCs and when I heard about buffered ram and litany of things it protects against I said duh! That is an easy sell. You should have charged more

Re: Well, it could have been a Horammer attack...

Doesnt address this. Its a dram physical issue where adjacent rows shares resources and if a row is âoehammeredâ with activates and writes the adjacent row can be effected.

Great.

So when are they gonna start releasing "patches" for this that knock another 30-50% off my machine speed, in addition to what I've already lost due to mandatory Meltdown mitigations?

Re: Great.

Patches are always available. The idiots who distribute them never seem to remember where to get them, you know down the hall and to the left where it says âoehot fix development team. Please come inâ

Randomisation

[dohzer]

Doesn't Address Space Layout Randomisation basically make this impractical?

https://en.wikipedia.org/wiki/...

Re:Randomisation

[mermeid007]

Who uses ASR for high performance PCs? That slows down your CPU - instant memory fragmentation. Is that a corporate thing? "Hi, IT guys? Can you stop by my computer every few minutes and restart my apps because they get slow"

Re:Randomisation

No, it only randomizes the virtual memory page addresses. At least 4KB will be mapped directly to the memory, usually much more. This is more than enough for rowhammer style attacks.

Re:Randomisation

[DarkOx]

Most people because Windows and Linux platforms pretty much turn it on out of the box now. You have to go out of your way not to use ASR.

Also the performance impact is pretty small unless your are running on ancient hardware with naive chache algorithms.

They 90's call they want your arguments back

Re:Randomisation

RAM is an acronym for Random Access Memory, meaning it's intended to store and retrieve "fragmented" data with no performance hit. RAM doesn't work like HDDs.

Re: Randomisation

4K?! I would not even run a tic tax toe game in 4K. The 90s are calling and they want to hand out some best practices

Re: Randomisation

Yes it does. You just never noticed because you are human and your perception of time is slow

Re:Randomisation

Not when many companies are still shipping computers with less than 4GB of RAM.

Which makes ASLR trivial to defeat.

Re:Randomisation

RAM is an acronym for Random Access Memory

The slow part is not the "random" access, it is in the amount of access operations. The CPU reads a complete row instead of single bytes, if all your bytes fall into that row you have one access for all, if they are distributed all over your address space the CPU ends up performing a memory access for each one. I am not even going to the implementation details of the Memory Management Unit (MMU) which has to manage virtual/physical address translation and access checks based on translation tables set by the OS or how CPU caches interact with fragmentation (badly).

Re:Randomisation

The short answer is no. There's been plenty of various techniques to bypass ASLR to some degree that can be mixed with rowhammer. The good news is some of the same JS mitigations for Spectre also applies to leaking information from ASLR and might make rowhammer more difficult to pull off. The bad news is none of this helps much for VMs on shared hosts, sandboxed programs, or generally any non-root user running anything trying to get root access. So, the general adage to never run untrusted code holds.

One thing that actually saddens me is how little practical work has been done on rowhammer for "legitimate"--at least, I consider it such--attacks on rooting unrootable phones, jailbreaking consoles and handhelds, etc. I think it's mostly a matter of the time/energy involved to making general attack vectors, but perhaps some day it'll happen and then all of us can rejoice. I'm sure university/library/etc computer labs are less thrilled about such things, though.

Re:Randomisation

Are you retarded?

You Can Officially Panic Now

[mentil]

The fact that servers normally utilize ECC RAM is probably the main reason this didn't blow up into a Spectre-style fiasco. I expect plenty of scrambling, in addition to slowdowns in VMs attempting to detect Rowhammer exploits. Rowhammer resistance for DRAM might be developed now, just like how Spectre resistance was a bullet point for the latest Intel CPUs, which is good since consumer devices were left vulnerable to Rowhammer.

Re:You Can Officially Panic Now

[Aighearach]

There is absolutely no reason why you would need to slow down the general VM to detect this. Unlike Spectre, which has to be actively prevented, this merely needs to be monitored and mitigated. You don't need the checks to stand in the way of access, they merely stand to the side and observe usage patterns and slow down access in certain scenarios. You wouldn't even need to reduce throughput noticeably.

Unlike spectre which is a real threat in the datacenter, this is merely a thing that is worth watching.

Would

A HOST file protect against this?

Re: Would

It would but that is a little like killing a fly with a bazooka. it is simple but updating your host file is a pain

Re:Would

Only if it is written in Rust.

Solution

[110010001000]

The obvious solution is to arrest all academics from Amsterdam.

Registered memory is not susceptible.

Unregistered ECC is basically only ever used on consumer grade chips. Registered memory is supported on anything server grade, and is usually cheaper than unregistered for the same capacity.

The concern here is it means systems that DO support unregistered ECC, specifically AMD 939-AM4 systems and 115x series Xeons/Pentiums are now proven susceptible to rowhammer attacks, which means unless you keep them isolated from the possibility of exploits or running unverified remote code (like javascript), they can be hacked from even unprivileged user code without any software exploits on the system itself.

When hear it can know it hitting hard?

How else can know if hammered? Is louder than fans? Does chunk plastic show inside case?

IMPERSONATING ME AGAIN? apk

gweihir KNOWS u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... he forgot to SUBMIT as AC & using his registered 'lusrname' instead (because he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

& YES - NO WAY I'd "cry" like you "playing victim ne'er-do-wells" on /. (TROLL /.ers, not all) OR post on hosts offtopic.

YOU HELPED ME https://science.slashdot.org/c... (& you quit trying to make me look bad trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... as regards Intel speculative execution attack? Hosts PREVENT 'EM)

APK

P.S.=> I KNOW the 2nd to last link above's KILLING YOU - YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK on 'em - U LOSE... apk

Re: IMPERSONATING ME AGAIN? apk

If you want to play this game of unlimited AC posts, then I have unlimited mod points.

Usually I don't bother because your shit is too funny.

ZIP

please explain how it works

[goombah99]

I have a very vague notion about how row hammer operates but it's really vague. COuld someone explain it both in terms of how it works, how one gets sidechannel information from being able to flip the bits, and then, pratically, how one makes a nefarious use out of spotty info.

Re: please explain how it works

Continuously open and close a row enough times before physically adjacent rows are refreshed and you have a potential rowhammer event.

DDR3 solutions are to read and write these adjacent rows if event js detected

Re:please explain how it works

[Aighearach]

Basic rowhammer:
Step 1: Run some code 10,000 times until it works once
Step 2: Publish

The way you get sidechannel information specifically is:
Step 1: Know what sidechannel information you want to get
Step 2: Run some code 10,000,000 times until your buffer equals the data you wanted
Step 3: Publish

The point of this is not that somebody can extract useful sidechannel data in a realworld scenario. The point is merely that if you server is randomly crashing with lots of ECC errors in the logs, and the BIOS memory test says the memory is fine, then you might already be p0wned. Or you gave a shell account to a teenager.

Re:please explain how it works

I have a very vague notion about how row hammer operates but it's really vague. COuld someone explain it both in terms of how it works, how one gets sidechannel information from being able to flip the bits, and then, pratically, how one makes a nefarious use out of spotty info.

All of this is documented in the actual academic papers. There are a number of ways to exploit it. One is to cause the OS to create a very large page table and corrupt that RAM eventually giving yourself write access to your own page table. From there, everything is yours. If most of RAM is full of this huge page table, it doesn't take much luck to do that.

not enough strong voices 25 years ago

[iggymanz]

row hammer being possible means memory has a bad design. any and all patterns should be able to be changed as quickly as possible in ram without affecting adjacent positions. the compromises made to make row hammer possible are due to incompetence, compromises were made that make a design unreliable

Confirm it

We need more researchers to replicate these studies. They do not seem to do this and it is suspicious because one company would seem to benefit here.

Non-answer

That tells the parent nothing about how information is transferred. That was a non answer.

Re: Non-answer

This is a data corruption issue. If you can control how the bits are set then use your imagination. This will probably be vendor, and device specific but might even be system specific

Nope

No it's not a data corruption issue. The use as a DoS attack is a trivial use case. It's used to affect security too.

Re: Nope

It starts as a data corruption issue. Without ecc, you could corrupt protected memory space by hammering an address hoping the adjacent address takes on the same data. With ECC same plan but hope that the address isnâ(TM)t part of the ECC syndrome bits.

Re: Nope

You don't understand the attack. You keep thinking of the trivial one. There's a totally different use case for the attack here unrelated to the one you are certain it is.

Alpha Particles?? lol

Alpha Particles.. Lol... This author did not do his homework.. I piece of paper can stop an Alpha Particle... No way is an Alpha going to penetrate all the matter surrounding the memory silicon..

Re:Alpha Particles?? lol

[Waffle+Iron]

Alpha Particles.. Lol... This author did not do his homework.. I piece of paper can stop an Alpha Particle... No way is an Alpha going to penetrate all the matter surrounding the memory silicon..

No, the AC fails his homework. The alpha particles that caused problems in the past came from inside the chip packaging itself. DRAM manufacturers now go to great lengths to exclude any isotopes that could undergo alpha decay in their chips.

Re:Alpha Particles?? lol

there are trace radioactive elements in the plastic/ceramic package or silicon itself.
Not to mention creation of isotopes in being in a radioactive environment.

"This is the weapon of a jediknight"... apk

"The weapon of a jediknight: Not as clumsy/random as a blaster - An elegant weapon 4 a more civilized age" https://it.slashdot.org/commen...

* "For over a 1,000 generations the Jedi Knights were the guardians of peace & justice in the old Republic. Before the dark times. Before the EMPIRE..."

APK

P.S.=> KEEP IMPERSONATING ME allowing me to gain more ground exposing you here https://it.slashdot.org/commen... (downmod all day & RUN DRY of them - as I can just REPOST that UNLIMITEDLY (unlike MOST AC posters), lol - you know you will & so do I)... apk

IMPERSONATING ME AGAIN? apk

gweihir KNOWS u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... he forgot to SUBMIT as AC & using his registered 'lusrname' instead (because he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

& NO WAY I'd "cry" like you "playing victim ne'er-do-wells" on /. (TROLL /.ers, not all) OR post on hosts offtopic.

YOU HELPED ME https://science.slashdot.org/c... (& you quit trying to make me look bad trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... as regards Intel speculative execution attack? Hosts PREVENT 'EM)

APK

P.S.=> I KNOW the 2nd to last link above's KILLING YOU - YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK on 'em - U LOSE... apk

Proving ZIP=PaperTiger vs. ME CyberianTiger

ZIP your lies & blunders enumerated here for all to see (funnier tha hell) https://science.slashdot.org/c... you PAPERTiger (effete/ineffectual BLOWHARD hotairware/notware, lol) https://tech.slashdot.org/comm...

QUESTION (that YOU always RUN from "Forrest"): WHO NOTED WHAT THE FIX IS FOR STRING RELATED BUFFER OVERFLOWS IN C++ to raymorris here 1st (ME or YOU?) ?

(LOL - you're LOATHE to answer that one, "Gosh, I wonder WHY?" & what makes YOU the one w/ ZERO TO SHOW for YOURSELF vs. me (& I haven't put out ANYWHERE NEAR what I could, even commercially sold ware w/ my code in it since 1997) the "better programmer" you CLAIM you are?)

APK

P.S.=> Garlic & crosses for Vampires, SilverBullets & Wolfsbane for Werewolves + THAT QUESTION ABOVE for "ZIP" = ALL THE SAME - they run, lol... apk

Are you autistic?

Are you autistic? I've been trying to figure out how it is that people end up knowing a lot about a subject and yet at the same time seem to know nothing about it. All I can think of is that they really don't understand the subject at all, but instead, they're just autistic and really good at memorizing random facts about their subject of interest.

Anyway, here's another random fact for you: The granularity of address space randomization is pages of 4096 bytes. So when the CPU decides to fill a cache line of 64 bytes, all 64 bytes are always contiguous in physical memory.

IMPERSONATING ME AGAIN? apk

gweihir KNOWS u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... he forgot to SUBMIT as AC & using his registered 'lusrname' instead (because he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

& NO WAY I'd "cry" like you "playing victim ne'er-do-wells" on /. (TROLL /.ers, not all) OR post on hosts offtopic.

YOU HELPED ME https://science.slashdot.org/c... (& you quit trying to make me look bad trying to "tell lies" on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... as regards Intel speculative execution attack? Hosts PREVENT 'EM)

APK

P.S.=> I KNOW the 2nd to last link above's KILLING YOU - YOU ACTUALLY HELPED ME getting me to see if hosts stop more than portsmash (& Meltdown + Spectre too) & "lo & behold" - hosts WORK on 'em - U LOSE... apk

"This is the weapon of a jediknight"... apk

"Not as clumsy/random as a blaster - An elegant weapon 4 a more civilized age" https://it.slashdot.org/commen...

* "For over a 1,000 generations Jedi Knights were guardians of peace & justice in the old Republic. Before the dark times. Before the EMPIRE"

(NOT "wannabe weapons" of TROLL shitlords on /. like ZIP https://it.slashdot.org/commen... - theirs = effete downmods I RUN 'EM DRY OF & lies & WHY they LOSE).

APK

P.S.=> Many here know https://linux.slashdot.org/com... & enjoy greater speed/security/reliability & anonymity hosts yield natively speeding you up 2 ways (adblocks & hardcodes that protect vs. DNS security issues in redirect poisoning + request tracking logs & RESOLVE FASTER locally from RAM driven by KERNELMODE speed vs. slow usermode in "solutions" packed w/ security issues (DNS/Antivirus) OR not working fully by default (adblock) in usermode addons easily detected by webmasters & blocked doing less but using more)... apk

ECC so expensive

[aberglas]

The real issue is that ECC memory is so expensive that it is not often used. It should be used everywhere.

A few extra bits should only cost a few extra percent. But the price triples because it is considered a fancy server feature.

I suspect many system crashes and unrepeatable bugs are due to rare random memory errors. I had once buggy memory and it was maddening until sorted. And memory thrashers never found the issue.

Operating systems should get very upset at more than a few correctable ECC errors, closing down pages of memory, error messages to users etc. But they probably don't.

Re:ECC so expensive

[swilver]

What do you mean? It is only marginally more expensive.

With an AMD system that's the only extra expensive. For Intel, you also need a server class CPU (a 4 core Xeon will do).

Re:ECC so expensive

[Agripa]

What do you mean? It is only marginally more expensive.

With an AMD system that's the only extra expensive. For Intel, you also need a server class CPU (a 4 core Xeon will do).

For Intel, you also need a C series server class south bridge.

Interesting paper

[WaffleMonster]

Was always curious why rowhammer still works after scramblers built into current day memory controllers. They explain some of the reason it still works on page 10.

S|TME (total memory encryption) should be completely effective against these types of problems in future hardware.