Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rowhammer Attacks Can Now Bypass ECC Memory Protections (zdnet.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for ZDNet: Academics from the Vrije University in Amsterdam, Holland, have published a research paper this week describing a new variation of the Rowhammer attack. For readers unfamiliar with the term, Rowhammer is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards. By default, a memory card stores temporary data inside storage units named cells, which are arranged on the physical silicon chip in multiple rows, in the form of a grid. [...] In research [PDF] published today, named ECCploit, academics expanded the previous Rowhammer techniques with yet another variation. This one, they said, bypasses ECC memory, one of the memory protections that hardware makers said could detect and prevent Rowhammer attacks in the past.

ECC stands for Error-Correcting Code and is a type of memory storage included as a control mechanism with high-end RAM, typically deployed with expensive or mission-critical systems. ECC memory works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks. Surprisingly, it wasn't developed to deal with Rowhammer. It was initially developed in the 90s to protect against bit flips caused by alpha particles, neutrons, or other cosmic rays, but when Rowhammer came out, it also proved to be effective against it, as well. But after spending months reverse engineering the designs of ECC memory, the Vrije University team discovered that this protection mechanism has its limits.

18 of 67 comments (clear)

  1. Rowhammer Attacks DOCUMENTED... by Anonymous Coward · · Score: 5, Interesting

    as being able to bypass ECC Memory Protections.

    It has been possible all along, it is just that someone has publicly proved that the theoretical vulnerability is an actual vulnerability. VERY important difference from title, since this could have allowed the compromise of servers since DDR3 came out and maybe even further back (although the glitches allowing this were only proven in certain brands of DDR3 early on. I have not heard whether it is now ALL DDR3, or still only certain DDR3 lithography processes.

    Assumed DDR4 is also compromised until you hear otherwise, and for anything that needs security, only run buffered ram, which is believed resistant if not immune to the attack.

    1. Re:Rowhammer Attacks DOCUMENTED... by Anonymous Coward · · Score: 1

      Why would buffered be resistant ?

    2. Re:Rowhammer Attacks DOCUMENTED... by Anonymous Coward · · Score: 5, Informative

      The thing is, you should find your log full of correctable ECC errors and system panics because of uncorrectable errors if someone tries Rowhammer on you. The likelyhood for 1Bit-flips and 2Bit-flips is a lot higher than for 3Bit-flips.

      Both, especially the system panics, should be noticed by the users or your system monitoring.

      And DDR4 RAM has mitigation built in, called Target-Row-Refresh (TRR), which, when used, counts accesses to the neighbouring rows and if they exceed a threshold, refreshes the row. The question is, does the current hardware use it?

    3. Re:Rowhammer Attacks DOCUMENTED... by Aighearach · · Score: 1

      No, not an "actual vulnerability," just an "actual example where the technique worked."

      Not really the same thing.

    4. Re: Rowhammer Attacks DOCUMENTED... by jabuzz · · Score: 1

      Isssue is by the time you have managed to produce a 3 bit error, you would have produced dozens of 1 and 2 bit errors and my monitoring system would begoing berserk and I would be investigating what the hell was going on. That is just a University HPC facility and any sort of ECC error is sufficiently rare as to be worth investigating as it is invariably a dodgy DIMM or node.

        I presume any monitored compute service would be the same. As such chances of this being used in the real world are likely to be very low.

  2. Randomisation by dohzer · · Score: 4, Interesting

    Doesn't Address Space Layout Randomisation basically make this impractical?

    https://en.wikipedia.org/wiki/...

    1. Re:Randomisation by DarkOx · · Score: 4, Informative

      Most people because Windows and Linux platforms pretty much turn it on out of the box now. You have to go out of your way not to use ASR.

      Also the performance impact is pretty small unless your are running on ancient hardware with naive chache algorithms.

      They 90's call they want your arguments back

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  3. You Can Officially Panic Now by mentil · · Score: 1

    The fact that servers normally utilize ECC RAM is probably the main reason this didn't blow up into a Spectre-style fiasco. I expect plenty of scrambling, in addition to slowdowns in VMs attempting to detect Rowhammer exploits. Rowhammer resistance for DRAM might be developed now, just like how Spectre resistance was a bullet point for the latest Intel CPUs, which is good since consumer devices were left vulnerable to Rowhammer.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:You Can Officially Panic Now by Aighearach · · Score: 1

      There is absolutely no reason why you would need to slow down the general VM to detect this. Unlike Spectre, which has to be actively prevented, this merely needs to be monitored and mitigated. You don't need the checks to stand in the way of access, they merely stand to the side and observe usage patterns and slow down access in certain scenarios. You wouldn't even need to reduce throughput noticeably.

      Unlike spectre which is a real threat in the datacenter, this is merely a thing that is worth watching.

  4. Registered memory is not susceptible. by Anonymous Coward · · Score: 3, Informative

    Unregistered ECC is basically only ever used on consumer grade chips. Registered memory is supported on anything server grade, and is usually cheaper than unregistered for the same capacity.

    The concern here is it means systems that DO support unregistered ECC, specifically AMD 939-AM4 systems and 115x series Xeons/Pentiums are now proven susceptible to rowhammer attacks, which means unless you keep them isolated from the possibility of exploits or running unverified remote code (like javascript), they can be hacked from even unprivileged user code without any software exploits on the system itself.

  5. please explain how it works by goombah99 · · Score: 1

    I have a very vague notion about how row hammer operates but it's really vague. COuld someone explain it both in terms of how it works, how one gets sidechannel information from being able to flip the bits, and then, pratically, how one makes a nefarious use out of spotty info.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:please explain how it works by Aighearach · · Score: 1

      Basic rowhammer:
      Step 1: Run some code 10,000 times until it works once
      Step 2: Publish

      The way you get sidechannel information specifically is:
      Step 1: Know what sidechannel information you want to get
      Step 2: Run some code 10,000,000 times until your buffer equals the data you wanted
      Step 3: Publish

      The point of this is not that somebody can extract useful sidechannel data in a realworld scenario. The point is merely that if you server is randomly crashing with lots of ECC errors in the logs, and the BIOS memory test says the memory is fine, then you might already be p0wned. Or you gave a shell account to a teenager.

  6. Re:Alpha Particles?? lol by Waffle+Iron · · Score: 1

    Alpha Particles.. Lol... This author did not do his homework.. I piece of paper can stop an Alpha Particle... No way is an Alpha going to penetrate all the matter surrounding the memory silicon..

    No, the AC fails his homework. The alpha particles that caused problems in the past came from inside the chip packaging itself. DRAM manufacturers now go to great lengths to exclude any isotopes that could undergo alpha decay in their chips.

  7. Re: IMPERSONATING ME AGAIN? apk by Anonymous Coward · · Score: 1

    If you want to play this game of unlimited AC posts, then I have unlimited mod points.

    Usually I don't bother because your shit is too funny.

    ZIP

  8. ECC so expensive by aberglas · · Score: 1

    The real issue is that ECC memory is so expensive that it is not often used. It should be used everywhere.

    A few extra bits should only cost a few extra percent. But the price triples because it is considered a fancy server feature.

    I suspect many system crashes and unrepeatable bugs are due to rare random memory errors. I had once buggy memory and it was maddening until sorted. And memory thrashers never found the issue.

    Operating systems should get very upset at more than a few correctable ECC errors, closing down pages of memory, error messages to users etc. But they probably don't.

    1. Re:ECC so expensive by swilver · · Score: 1

      What do you mean? It is only marginally more expensive.

      With an AMD system that's the only extra expensive. For Intel, you also need a server class CPU (a 4 core Xeon will do).

    2. Re:ECC so expensive by Agripa · · Score: 1

      What do you mean? It is only marginally more expensive.

      With an AMD system that's the only extra expensive. For Intel, you also need a server class CPU (a 4 core Xeon will do).

      For Intel, you also need a C series server class south bridge.

  9. Interesting paper by WaffleMonster · · Score: 1

    Was always curious why rowhammer still works after scramblers built into current day memory controllers. They explain some of the reason it still works on page 10.

    S|TME (total memory encryption) should be completely effective against these types of problems in future hardware.