There's a New Way To Flip Bits in DRAM, and It Works Against the Latest Defenses (arstechnica.com) 44
An anonymous reader shares a report: In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns -- an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time. Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by "hammering" carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa.
Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."
Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."
Re: (Score:2)
MAYBE
IIRC RowHammer was able to defeat some ECC systems?
Re: (Score:2)
Sorry for replying to myself, but . . .
Potentially disastrous Rowhammer bitflips can bypass ECC protections
ECCploit is the first Rowhammer attack to defeat error-correcting code.
Dan Goodin - Nov 22, 2018 1:06 am UTC
Re: (Score:2)
I can see an attack being able to allow unintended read of ECC data, but I don't see how an attack could corrupt memory and have it not caught by ECC... unless it's actually attacking the mechanisms that create the ECC bits at the same time?
I suppose that is possible, since ECC is to protect against random errors, not intentional ones...
Any links to the details? Is this talking about software-based ECC, not hardware-based?
Re:So (Score:5, Informative)
https://arstechnica.com/inform... [arstechnica.com]
Re: (Score:2)
Interesting read. Seems like this attack only works if there is a reliable chance of flipping a bit, that the probability of flipping bits simultaneously is high (otherwise if the hammering doesn't really flip multiple bits between subsequent reads of the target address, they'd be caught), the target address is adjacent to an accessible address, the ECC scheme is known, and the target address is static enough that the bits found by the scanning mechanism remain the ones that can be modified.
Also most ECC al
Still BAD Design (Score:5, Insightful)
Software should not be able to affect memory timing. PERIOD. Memory timing should be absolutely fixed, no matter how much or how often memory is accessed. If activity in one memory cell can ever affect the state of another memory cell then the design is WRONG. This seems similar to an electrical noise problem. I know that we want to cram as much memory as possible onto chips and into systems, BUT . . .
Re: (Score:2)
Training of the bus interface means the memory system is under some software control. It could be a microcontroller, but it's often some early startup code. Power states means that the busses and controllers support at least clock gating as well, and probably power gating too..
Re:Still BAD Design (Score:4, Informative)
Read the actual paper. Software CAN NOT accomplish this attack. Bare minimum you'd have to program the memory controller out of spec (meaning you already have root access) opr in some cases cobble your own memory controller from an FPGA like the researchers did.
Re:Still BAD Design (Score:4, Informative)
I did.
p.2 bottom of 1st column
"We demonstrate that a user-level program can induce RowPress bitflips in a real DDR4-based system that already employs RowHammer protection."
Even if this required root access, it could still be stealthy and very dangerous. Remember PEEK and POKE?
Re: (Score:2)
Even if this required root access, it could still be stealthy and very dangerous. Remember PEEK and POKE?
I'm not sure how to parse this. Systems with PEEK and POKE not only didn't have multiple users or CPUs with MMUs and therefore memory protection, they barely even had operating systems (though you can reasonably consider ROM BASIC an OS, albeit a severely limited one. you can use it to load programs after all.)
Re: (Score:2)
They mention that it doesn't affect DDR5, and that may be because they fixed this for DDR5.
DDR5 has mandatory ECC. It doesn't have to be exposed to the CPU, but the DIMM itself must implement it. Presumably if a bit is flipped in this manner, ECC will correct it.
I think the reason for mandating ECC was not protection against this kind of attack, but rather the fact that when you have 64GB on a single DIMM the probability of a bit flip due to cosmic rays and the like is high enough that you can't really do w
Anybody ever got Rowhammer to work? (Score:5, Interesting)
I tried on multiple systems, including some laptops, and failed completely. No ECC on any of those. But I noticed all papers on Rowhammer used laptops to test. My working theory is that some laptops conserve energy by refreshing RAM way too slow. That makes them very susceptible to Rowhammer. I still have to find anybody besides the researchers publishing on it that actually made Rowhammer work though. I
Re: (Score:2)
Re: (Score:2)
Nothing to do with refresh? Methinks you do not know how rowhammer or RAM refresh works.
Re: (Score:1)
Re: (Score:2)
Hahahah, no. It does not "have" to meet these at all and some laptop makers do not because much slower refresh does still work in most cases. And I never claimed it has anything to do with "power management", I said it was about "power".
Re: (Score:1)
Not this again! (Score:2)
Just do things to the system that only someone seated in front can do, like turn off cooling to raise the temperature.... Probably pushing the chips out of designed specs.
Doesn't ECC memory prevent or detect this? Why don't we have ECC as the standard now?
Re: (Score:2)
Please, see above.
ECC is basically a monitor and hope to fix solution. It does not prevent errors -- it hopes to correct them.
Your Q about specs. is interesting. It would hard to push beyond (positive/negative) thermal limits in a PC (right now), but you never know?
Re: Not this again! (Score:1)
Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected.
A flipped bit due to something like cosmic rays has a tiny chance of mattering to the user (it might change a single bit in an annoying advertising image, or a bit in a game's texture), but crashing the computer upon detecting one has a *huge* likelihood of annoying the user.
We were briefly at a point about 15 years ago when RAM was dirt-cheap relative to the cost of the rest of the syst
Re: (Score:2)
"Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected"
wait, what??
Re: (Score:2)
ECC can/does correct single-bit errors per word. Errors beyond 1bit/word are probably un-correctable and the EEC should tell the O/S to crash (if it hasn't already).
As far as the amount of RAM and cost goes: for some people/cases, it is irrelevant -- they will pay for the protection.
Re: (Score:2)
"so it's slower and more expensive"
How much slower & how much more expensive?
It may be well worth it & if we all switched to ECC, the higher cost *could* be negligible.
You can always make something cheaper but in some cases we've decided to accept higher standards despite much higher costs.
Re: (Score:2)
You're thinking of a parity error. ECC will only induce a fault if it can't correct for errors it detects. Otherwise the user won't even know it happened.
Re: (Score:2)
Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected.
Wrong. ECC does in indeed correct single bit errors. It requires a multi-bit error for ECC to cause a system crash.
Re: Not this again! (Score:4, Informative)
Hint, it contains the word Correction.
Re: (Score:2)
We were briefly at a point about 15 years ago when RAM was dirt-cheap relative to the cost of the rest of the system due to 32-bit Windows being effectively limited to 4gb at a point when adding enough extra bits to do hardware-level Solomon-Reed EC would have been do-able... but now that even 32gb of RAM is limiting, the cost of increasing the amount of RAM to add enough bits for actual error-correction is less valuable to end users than doubling the RAM and just ignoring occasional single-bit errors. If the user even notices one (because something crashes), they'll just blame Windows or a buggy driver *anyway*.
All DDR5 memory has the extra bits for ECC. The only difference between registered and unregistered is signaling. Registered chips reliability is managed by memory controller rather than on chip. No fancy scrubbing et el.
Shitty hardware design. (Score:3)
Re: (Score:2)
I used to turn off DRAM refresh on my 8088 to make cycle counting tricks work. Of course the RAM contents are trashed if you leave it off for too long.
Probably a bad example, a lot of what was done on the IBM PC's hardware design was pretty bad. It was very much a product of a rushed design team.
Like the crash where the plane's rudder snapped? (Score:2)
Not long after the 9-11 attacks, an American Airlines Airbus jet crashed over Long Island. This was blamed on the pilot pumping the rudder pedals vigorously enough to snap the tail off the airplane.
The accident investigation revealed this not to be terrorism, rather, pilot error, a problem with pilot training or a design flaw.
The plane encountered "wake turbulence" from a plane it was following in the traffic stream departing JFK airport. Wake turbulence is not your ordinary updrafts and downdrafts g
Re: (Score:2)
IANAP, but, from what I've read, the pilot overreacted to the wake turbulence (a known issue if you follow another big plane closely) and in the process subjected the vertical stabilizer to forces of well over twice their design limit. Pilot error probably due to insufficient pilot training was identified by the NTSB as the probable cause, and AA modified their training program accordingly.
I do know that there are minimum distances required to separate aircraft taking off so that wake turbulence doesn't be
Design margins (Score:2)
IAAP, and on thinking about it, I believe I encountered wake turbulence once.
Pilots are trained to visualize the invisible vortex coming off a plane in front, and if possible, to climb above where you think the vortex is, which will be sinking. Other than, yes, a pilot can be an a$$hole and legally refuse a takeoff clearance, but generally, separation in lateral distance and in altitude in departures from large airports are dictated by air-traffic controllers.
They will squawk at you over the radio "ca
This is not a software attack! (Score:3)
You must at minimum configure the memory controller out of spec. The actual research was done with a custom memory controller implemented in an FPGA.
There are very few applications where root exists but is not permitted to examine user process memory at will on real hardware. None of those work on anything POSIX like.
Re: (Score:2)
Hmm, NO.
You must at minimum configure the memory controller out of spec. The actual research was done with a custom memory controller implemented in an FPGA.
The research did use an FPGA, BUT . . . ."
p.2 bottom of 1st column
"We demonstrate that a user-level program can induce RowPress bitflips in a real DDR4-based system that already employs RowHammer protection.
The program accesses multiple different columns of the aggressor DRAM row so that the memory controller keeps the aggressor row open for a longer period of time . .
There are very few applications where root exists but is not permitted to examine user process memory at will on real hardware. None of those work on anything POSIX like.
POSIX may require guard space, but not always. The point is that a process/thread can use these techniques to flip adjacent memory re
Re: (Score:2)
It's not a matter of guard space, it's a matter that you'll need to be root to have sufficient control over the system to pull off the attack, and root already has access to every process's RAM without an attack.
This is only useful if root is not allowed to access other user's processes, which does not describe a POSIX system.
These things do need to be fixed, if for no other reason they can have an effect on the stability and correctness of the system, but generally they require a highly contrived scenario
It is common enough (Score:2)
Re: (Score:2)
And root can also undo that if so desired.
In future related news ... (Score:5, Funny)
Researches discover that DRAM bits can be flipped by violently shaking the system -- demonstrated by mounting a running laptop on a paint shaker.