Rowhammer Attacks Can Now Bypass ECC Memory Protections

Catalin Cimpanu, reporting for ZDNet: Academics from the Vrije University in Amsterdam, Holland, have published a research paper this week describing a new variation of the Rowhammer attack. For readers unfamiliar with the term, Rowhammer is the name of a class of exploits that takes advantage of a hardware design flaw in modern memory cards. By default, a memory card stores temporary data inside storage units named cells, which are arranged on the physical silicon chip in multiple rows, in the form of a grid. [...] In research [PDF] published today, named ECCploit, academics expanded the previous Rowhammer techniques with yet another variation. This one, they said, bypasses ECC memory, one of the memory protections that hardware makers said could detect and prevent Rowhammer attacks in the past.

ECC stands for Error-Correcting Code and is a type of memory storage included as a control mechanism with high-end RAM, typically deployed with expensive or mission-critical systems. ECC memory works by protecting against rogue bit flips, like the ones caused by Rowhammer attacks. Surprisingly, it wasn't developed to deal with Rowhammer. It was initially developed in the 90s to protect against bit flips caused by alpha particles, neutrons, or other cosmic rays, but when Rowhammer came out, it also proved to be effective against it, as well. But after spending months reverse engineering the designs of ECC memory, the Vrije University team discovered that this protection mechanism has its limits.

Rowhammer Attacks DOCUMENTED...

as being able to bypass ECC Memory Protections.

It has been possible all along, it is just that someone has publicly proved that the theoretical vulnerability is an actual vulnerability. VERY important difference from title, since this could have allowed the compromise of servers since DDR3 came out and maybe even further back (although the glitches allowing this were only proven in certain brands of DDR3 early on. I have not heard whether it is now ALL DDR3, or still only certain DDR3 lithography processes.

Assumed DDR4 is also compromised until you hear otherwise, and for anything that needs security, only run buffered ram, which is believed resistant if not immune to the attack.

Re:Rowhammer Attacks DOCUMENTED...

The thing is, you should find your log full of correctable ECC errors and system panics because of uncorrectable errors if someone tries Rowhammer on you. The likelyhood for 1Bit-flips and 2Bit-flips is a lot higher than for 3Bit-flips.

Both, especially the system panics, should be noticed by the users or your system monitoring.

And DDR4 RAM has mitigation built in, called Target-Row-Refresh (TRR), which, when used, counts accesses to the neighbouring rows and if they exceed a threshold, refreshes the row. The question is, does the current hardware use it?

Randomisation

[dohzer]

Doesn't Address Space Layout Randomisation basically make this impractical?

https://en.wikipedia.org/wiki/...

Re:Randomisation

[DarkOx]

Most people because Windows and Linux platforms pretty much turn it on out of the box now. You have to go out of your way not to use ASR.

Also the performance impact is pretty small unless your are running on ancient hardware with naive chache algorithms.

They 90's call they want your arguments back

Registered memory is not susceptible.

Unregistered ECC is basically only ever used on consumer grade chips. Registered memory is supported on anything server grade, and is usually cheaper than unregistered for the same capacity.

The concern here is it means systems that DO support unregistered ECC, specifically AMD 939-AM4 systems and 115x series Xeons/Pentiums are now proven susceptible to rowhammer attacks, which means unless you keep them isolated from the possibility of exploits or running unverified remote code (like javascript), they can be hacked from even unprivileged user code without any software exploits on the system itself.