Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google

Google Says Rowhammer Attacks Are Gaining Range as RAM is Getting Smaller (therecord.media) 38

A team of Google security researchers said they discovered a new way to perform Rowhammer attacks against computer memory (RAM) cards that broaden the attack's initial impact. From a report: First detailed in 2014, Rowhammer was a ground-breaking attack that exploited the design of modern RAM cards, where memory cells are stored in grid-like arrangements. The basic principle behind Rowhammer was that a malicious app could perform rapid read/write operations on a row of memory cells. As the cells would shift their values from 0 to 1 and vice versa in a very small time window, this would generate small electromagnetic fields inside the row of "hammered" memory cells. The result of these fields were errors in nearby memory rows that sometimes flipped bits and altered adjacent data. [...] In a research paper published this week, a team of five Google security researchers took Rowhammer attacks to a new level. In a new attack variation named Half-Double, researchers said they managed to carry out a Rowhammer attack that caused bit flips at a distance of two rows from the âoehammeredâ row instead of just one.
This discussion has been archived. No new comments can be posted.

Google Says Rowhammer Attacks Are Gaining Range as RAM is Getting Smaller

Comments Filter:
  • by amorsen ( 7485 ) <benny+slashdot@amorsen.dk> on Thursday May 27, 2021 @10:39AM (#61427918)

    ECC absolutely matters.

    ECC availability matters a lot - exactly because Intel has been instrumental in killing the whole ECC industry with it's horribly bad market segmentation.

    Go out and search for ECC DIMMs - it's really hard to find. Yes - probably entirely thanks to AMD - it may have been gotten slightly better lately, but that's exactly my point.

    Intel has been detrimental to the whole industry and to users because of their bad and misguided policies wrt ECC. Seriously.

    And if you don't believe me, then just look at multiple generations of rowhammer, where each time Intel and memory manufacturers bleated about how it's going to be fixed next time.

    Narrator: "No it wasn't".

    See the whole post on RealWorldTech forum [realworldtech.com]

    • I'm surprised ECC RAM isn't everywhere. We have ECC on our SSDs and hard disks, why not something as critical as RAM, where a bit flip can potentially cause catastrophic results?

      • by amorsen ( 7485 )

        Because of market segmentation. ECC is premium and commands Apple prices (although if you buy RAM from Apple you pay Apple prices for non-ECC...)

      • by tlhIngan ( 30335 )

        I'm surprised ECC RAM isn't everywhere. We have ECC on our SSDs and hard disks, why not something as critical as RAM, where a bit flip can potentially cause catastrophic results?/blockquote.

        That's because ECC is required on hard drives and SSDs. The memory design of an SSD results in potential bit flips if doing a write or a read (called a read disturb or a write disturb). Yes, if you read a particular sector enough times, there is a potential to flip a bit in a neighboring sector. Part of this is design -

      • DDR5 will be all ECC. If you think there is a chip shortage now, just wait until only the newest CPUs are considered âoesecureâ and every computer with DDR4 and lower must be replaced.
    • Read Ian Cutress's comment. Even with AMD it's not a sure thing unless one has hardware that says it's "officially" supported across the board (CPU,MB,Memory).

      • by amorsen ( 7485 )

        True, AMD is not entirely innocent. However, their market power is low and they mostly do the right thing.

        Unlike Intel whose market power is extreme and who consistently does the wrong thing.

  • Flipping random bits of memory doesnâ(TM)t seem super useful beyond just causing random crashes. Whatâ(TM)s the real world use of such an attack?
    • by Anonymous Coward
      Crashing an airplane?
    • by amorsen ( 7485 )

      You can, with some limitations, pick which bit you flip. Sometimes you can also use it to extract the memory contents.

    • Testing your RAM to see if it's defective, I guess. Isn't that what Memtest86 does?

    • by Sebby ( 238625 )

      Flipping random bits of memory doesn't seem super useful beyond just causing random crashes. What's the real world use of such an attack?

      I remember hearing about a side-channel attack where flipping 1 bit halved the possibility for cracking an encryption key. I think in this example it was in the context of it running on a VM (with possible sandbox escape also being part of it).

    • I'd love to flip the bit that says I'm authorized to access a restricted resource. But even crashing security and malware monitors can be a pretty useful step.

    • You can use that for privilege escalation as you apparently have some control over what bits you flip and therefore have a decent chance of overwriting permissions flags for your memory block.

      Of course the counter-measures against it are the same people already use against other problems:
      1. Don't run Malware
      2. Only enable Javascript for trustworthy sources.

    • Crashing is one use of it if you just want to DOS. If you are malicious and either know enough about the target system, or by just plain dumb luck can rowhammer in some malicious code into a row that contains executable code, you could in theory run that code with an elevated privilege or on cloud computing environments, inside someone else's VM/Instance.
    • by Hentes ( 2461350 )

      As far as I understand it's mostly about attacking kernel space stuff and hoping that a jump address flips and sends the IP to an area of memory that the attacker controls, thus giving them kernel privileges. As you might expext, this really only worked in 32bit systems which have their 4gb of ram maxed out. So the attacker would allocate all the available memory for themselves to maximize the chance of capturing a random jump, then start hammering and hope for the best. This process takes dozens of hours,

  • Ah now I have a justification for buying a machine [youtu.be] with ECC.

    • A few years ago I did one of those sub-$300 gaming PC builds from YouTube. basically buy a cheap motherboard from Aliexpress, and a used or new-old-stock Xeon, and some scary cheap case and PSU, used ECC RAM, then spend the rest on the graphics card. I cheated though, I had a GTX 1070 Ti left over from my wife's old PC, so I spent my budget on extra RAM and a bigger (spinning disc) drive. I won't suggest you build to the same specs I did, as the build guide is a bit obsolete.

      CPU works fine. It was all the o

  • Memory access patterns done by a normal program, and memory access patterns done by a Rowhammer program look completely different.

    Normally, a program uses the CPU cache, and that would stop the rapid accesses to RAM. Rowhammer programs intentionally cause the cache to evict a memory block, and cause the rapid accesses to RAM.

    Perhaps it's time to add some slowdown at the memory controller level if a program is using the RAM like Rowhammer rather than a normal program.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...