Google Says Rowhammer Attacks Are Gaining Range as RAM is Getting Smaller

A team of Google security researchers said they discovered a new way to perform Rowhammer attacks against computer memory (RAM) cards that broaden the attack's initial impact. From a report: First detailed in 2014, Rowhammer was a ground-breaking attack that exploited the design of modern RAM cards, where memory cells are stored in grid-like arrangements. The basic principle behind Rowhammer was that a malicious app could perform rapid read/write operations on a row of memory cells. As the cells would shift their values from 0 to 1 and vice versa in a very small time window, this would generate small electromagnetic fields inside the row of "hammered" memory cells. The result of these fields were errors in nearby memory rows that sometimes flipped bits and altered adjacent data. [...] In a research paper published this week, a team of five Google security researchers took Rowhammer attacks to a new level. In a new attack variation named Half-Double, researchers said they managed to carry out a Rowhammer attack that caused bit flips at a distance of two rows from the âoehammeredâ row instead of just one.

Linus Torvalds called it

[amorsen]

ECC absolutely matters.

ECC availability matters a lot - exactly because Intel has been instrumental in killing the whole ECC industry with it's horribly bad market segmentation.

Go out and search for ECC DIMMs - it's really hard to find. Yes - probably entirely thanks to AMD - it may have been gotten slightly better lately, but that's exactly my point.

Intel has been detrimental to the whole industry and to users because of their bad and misguided policies wrt ECC. Seriously.

And if you don't believe me, then just look at multiple generations of rowhammer, where each time Intel and memory manufacturers bleated about how it's going to be fixed next time.

Narrator: "No it wasn't".

See the whole post on RealWorldTech forum [realworldtech.com]

Re:Linus Torvalds called it

[DRJlaw]

*WHAT* fucking policy?

The one that says that no Intel processor branded less than "Xeon" supports ECC RAM?

Removing support for ECC RAM from CPUs that aren't targeted directly at the server world [arstechnica.com] is one of the ways Intel has kept those markets strongly segmented. Torvalds' argument here is that Intel's refusal to support ECC RAM in its consumer-targeted partsâ"along with its de facto near-monopoly in that spaceâ"is the real reason that ECC is nearly unavailable outside the server space.

The usual argument around why ECC isn't present in consumer tech revolves around cost, but we suspect Torvalds has the right of it here.

Re:

[Ostracus]

The funny thing is we use to have the same segmentation with virtualization. With similar results. AMD did, Intel was more selective and a buyer had to read everything carefully in order to get the right hardware.

Re:

[ArchieBunker]

What are the consequences of a random one bit error for the vast majority of desktop users? Nothing.

Re:

[Ostracus]

System stability, especially since people are asking more of their machines. No one likes to lose work or time due to a systems crash.

Re:

[DRJlaw]

What are the consequences of a random one bit error for the vast majority of desktop users? Nothing.

Except partially mitigating, slowing down, and/or detecting rowhammer attacks. But that's nothing to you, apparently.

Re:Linus Torvalds called it

[DRJlaw]

What useful information will a rowhammer attack yield on your typical desktop machine with a few word docs open?

Nothing, ArchieBunker, nothing at all. Go about your business.

For the rest of us who might actually care about privilege escalation, arbitrary code execution, and chained attacks allowing access to the entire system, there's this [github.com].

Re:

[iggymanz]

I'm amazed large number people calling themselves "developers" here don't seem to care about such flaws, and also argue about the rather large number of bit flips that occur on a machine with tens of gigs of memory due to cosmic rays per day is nothing. Living totally detached from knowledge of reality...

Re:

[vadim_t]

These days? Everything.

Usernames and passwords to facebook, bank accounts, work accounts, Steam, Amazon, saved credit cards and credentials in the browser, etc. Besides which a computer is a valuable resource in itself.

This "I don't do anything important" attitude went completely obsolete with the internet, so you're a few decades out of date with the state of the world. Yeah, nobody cares about you personally, but they don't have to. It's just a matter of exploiting a hole, then running a standard script t

Re:

[ArchieBunker]

Great, so where is the proof of concept code?

Re:

[OrangeTide]

If you ever wonder why apps crash randomly. Browser tabs sometimes fail to load but come back with a refresh. Or other system instability that are difficult to attribute to a consistently reproducible bug.

My favorite is when a bad bit works its way into an app's font cache. Then I see it repeated many times until I refresh the cache.

Re:

[Dwedit]

Privilege Escalation.

Some programs on Android gain root by using Rowhammer.

Re:

[ctilsie242]

I'm surprised ECC RAM isn't everywhere. We have ECC on our SSDs and hard disks, why not something as critical as RAM, where a bit flip can potentially cause catastrophic results?

Re:

[amorsen]

Because of market segmentation. ECC is premium and commands Apple prices (although if you buy RAM from Apple you pay Apple prices for non-ECC...)

Re:

[tlhIngan]

I'm surprised ECC RAM isn't everywhere. We have ECC on our SSDs and hard disks, why not something as critical as RAM, where a bit flip can potentially cause catastrophic results?/blockquote.

That's because ECC is required on hard drives and SSDs. The memory design of an SSD results in potential bit flips if doing a write or a read (called a read disturb or a write disturb). Yes, if you read a particular sector enough times, there is a potential to flip a bit in a neighboring sector. Part of this is design -

Re: Linus Torvalds called it

[gerf]

DDR5 will be all ECC. If you think there is a chip shortage now, just wait until only the newest CPUs are considered âoesecureâ and every computer with DDR4 and lower must be replaced.

Re:

[Ostracus]

Read Ian Cutress's comment. Even with AMD it's not a sure thing unless one has hardware that says it's "officially" supported across the board (CPU,MB,Memory).

Re:

[amorsen]

True, AMD is not entirely innocent. However, their market power is low and they mostly do the right thing.

Unlike Intel whose market power is extreme and who consistently does the wrong thing.

So what is the real world use?

[liquidpele]

Flipping random bits of memory doesnâ(TM)t seem super useful beyond just causing random crashes. Whatâ(TM)s the real world use of such an attack?

Re:

[Anonymous Coward]

Crashing an airplane?

Re:

[amorsen]

You can, with some limitations, pick which bit you flip. Sometimes you can also use it to extract the memory contents.

Re:

[omnichad]

Testing your RAM to see if it's defective, I guess. Isn't that what Memtest86 does?

Re:

[Sebby]

Flipping random bits of memory doesn't seem super useful beyond just causing random crashes. What's the real world use of such an attack?

I remember hearing about a side-channel attack where flipping 1 bit halved the possibility for cracking an encryption key. I think in this example it was in the context of it running on a VM (with possible sandbox escape also being part of it).

Re:

[OrangeTide]

I'd love to flip the bit that says I'm authorized to access a restricted resource. But even crashing security and malware monitors can be a pretty useful step.

Re:

[Casandro]

You can use that for privilege escalation as you apparently have some control over what bits you flip and therefore have a decent chance of overwriting permissions flags for your memory block.

Of course the counter-measures against it are the same people already use against other problems:
1. Don't run Malware
2. Only enable Javascript for trustworthy sources.

Re:

[anoncoward69]

Crashing is one use of it if you just want to DOS. If you are malicious and either know enough about the target system, or by just plain dumb luck can rowhammer in some malicious code into a row that contains executable code, you could in theory run that code with an elevated privilege or on cloud computing environments, inside someone else's VM/Instance.

Re:

[Hentes]

As far as I understand it's mostly about attacking kernel space stuff and hoping that a jump address flips and sends the IP to an area of memory that the attacker controls, thus giving them kernel privileges. As you might expext, this really only worked in 32bit systems which have their 4gb of ram maxed out. So the attacker would allocate all the available memory for themselves to maximize the chance of capturing a random jump, then start hammering and hope for the best. This process takes dozens of hours,

Desktop ECC.

[Ostracus]

Ah now I have a justification for buying a machine [youtu.be] with ECC.

Re:

[OrangeTide]

A few years ago I did one of those sub-$300 gaming PC builds from YouTube. basically buy a cheap motherboard from Aliexpress, and a used or new-old-stock Xeon, and some scary cheap case and PSU, used ECC RAM, then spend the rest on the graphics card. I cheated though, I had a GTX 1070 Ti left over from my wife's old PC, so I spent my budget on extra RAM and a bigger (spinning disc) drive. I won't suggest you build to the same specs I did, as the build guide is a bit obsolete.

CPU works fine. It was all the o

Cache Bypassing

[Dwedit]

Memory access patterns done by a normal program, and memory access patterns done by a Rowhammer program look completely different.

Normally, a program uses the CPU cache, and that would stop the rapid accesses to RAM. Rowhammer programs intentionally cause the cache to evict a memory block, and cause the rapid accesses to RAM.

Perhaps it's time to add some slowdown at the memory controller level if a program is using the RAM like Rowhammer rather than a normal program.

Re:

[Bu11etmagnet]

> Couldn't find the right keywords for Google on this.

walking drives

Re:

[Tablizer]

TRS-80's would make sparking sounds and flicker funny when certain POKE commands were issued. I used it to freak out newbies one April 1. I may just have prevented a career or two in IT.