Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

There's a New Way To Flip Bits in DRAM, and It Works Against the Latest Defenses (arstechnica.com) 44

An anonymous reader shares a report: In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns -- an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time. Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by "hammering" carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa.

Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."

This discussion has been archived. No new comments can be posted.

There's a New Way To Flip Bits in DRAM, and It Works Against the Latest Defenses

Comments Filter:
  • Still BAD Design (Score:5, Insightful)

    by srg33 ( 1095679 ) on Thursday October 19, 2023 @04:39PM (#63937883)

    Software should not be able to affect memory timing. PERIOD. Memory timing should be absolutely fixed, no matter how much or how often memory is accessed. If activity in one memory cell can ever affect the state of another memory cell then the design is WRONG. This seems similar to an electrical noise problem. I know that we want to cram as much memory as possible onto chips and into systems, BUT . . .

    • Training of the bus interface means the memory system is under some software control. It could be a microcontroller, but it's often some early startup code. Power states means that the busses and controllers support at least clock gating as well, and probably power gating too..

    • Re:Still BAD Design (Score:4, Informative)

      by sjames ( 1099 ) on Thursday October 19, 2023 @05:58PM (#63938007) Homepage Journal

      Read the actual paper. Software CAN NOT accomplish this attack. Bare minimum you'd have to program the memory controller out of spec (meaning you already have root access) opr in some cases cobble your own memory controller from an FPGA like the researchers did.

      • Re:Still BAD Design (Score:4, Informative)

        by srg33 ( 1095679 ) on Thursday October 19, 2023 @06:13PM (#63938047)

        I did.
        p.2 bottom of 1st column
        "We demonstrate that a user-level program can induce RowPress bitflips in a real DDR4-based system that already employs RowHammer protection."
        Even if this required root access, it could still be stealthy and very dangerous. Remember PEEK and POKE?

        • Even if this required root access, it could still be stealthy and very dangerous. Remember PEEK and POKE?

          I'm not sure how to parse this. Systems with PEEK and POKE not only didn't have multiple users or CPUs with MMUs and therefore memory protection, they barely even had operating systems (though you can reasonably consider ROM BASIC an OS, albeit a severely limited one. you can use it to load programs after all.)

    • by AmiMoJo ( 196126 )

      They mention that it doesn't affect DDR5, and that may be because they fixed this for DDR5.

      DDR5 has mandatory ECC. It doesn't have to be exposed to the CPU, but the DIMM itself must implement it. Presumably if a bit is flipped in this manner, ECC will correct it.

      I think the reason for mandating ECC was not protection against this kind of attack, but rather the fact that when you have 64GB on a single DIMM the probability of a bit flip due to cosmic rays and the like is high enough that you can't really do w

  • by gweihir ( 88907 ) on Thursday October 19, 2023 @04:41PM (#63937887)

    I tried on multiple systems, including some laptops, and failed completely. No ECC on any of those. But I noticed all papers on Rowhammer used laptops to test. My working theory is that some laptops conserve energy by refreshing RAM way too slow. That makes them very susceptible to Rowhammer. I still have to find anybody besides the researchers publishing on it that actually made Rowhammer work though. I

    • Try using blacksmith to flip bits. https://github.com/comsec-grou... [github.com] You can easily cause single flip bits on servers/desktops with blacksmith. Nothing to do with laptops and power management.
      • by gweihir ( 88907 )

        Nothing to do with refresh? Methinks you do not know how rowhammer or RAM refresh works.

        • I didn't say it had nothing to do with refresh. I said it has nothing to do with laptops and power management. All DDR4 DRAM requires every row to be refreshed every 64 ms (at normal temps), and all DDR5 DRAM requires every row to be refreshed every 32 ms. The DRAM on laptops (whether SO-DIMMS or LPDDR) still has to meet those same refresh requirements.
          • by gweihir ( 88907 )

            Hahahah, no. It does not "have" to meet these at all and some laptop makers do not because much slower refresh does still work in most cases. And I never claimed it has anything to do with "power management", I said it was about "power".

            • Sorry, you're just wrong. Where do you think refresh policy is implemented? It's in the memory controller, which is on the Intel or AMD SoC. Do you really think that laptop manufacturers have the ability to modify this behavior in the memory controller?
  • This time it can be an exploit, we promise!

    Just do things to the system that only someone seated in front can do, like turn off cooling to raise the temperature.... Probably pushing the chips out of designed specs.

    Doesn't ECC memory prevent or detect this? Why don't we have ECC as the standard now?
    • by srg33 ( 1095679 )

      Please, see above.
      ECC is basically a monitor and hope to fix solution. It does not prevent errors -- it hopes to correct them.
      Your Q about specs. is interesting. It would hard to push beyond (positive/negative) thermal limits in a PC (right now), but you never know?

    • Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected.

      A flipped bit due to something like cosmic rays has a tiny chance of mattering to the user (it might change a single bit in an annoying advertising image, or a bit in a game's texture), but crashing the computer upon detecting one has a *huge* likelihood of annoying the user.

      We were briefly at a point about 15 years ago when RAM was dirt-cheap relative to the cost of the rest of the syst

      • by haruchai ( 17472 )

        "Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected"
        wait, what??

        • by srg33 ( 1095679 )

          ECC can/does correct single-bit errors per word. Errors beyond 1bit/word are probably un-correctable and the EEC should tell the O/S to crash (if it hasn't already).
          As far as the amount of RAM and cost goes: for some people/cases, it is irrelevant -- they will pay for the protection.

      • by Mal-2 ( 675116 )

        You're thinking of a parity error. ECC will only induce a fault if it can't correct for errors it detects. Otherwise the user won't even know it happened.

      • Because ECC doesn't *correct* the error, it just tells the OS to crash as a safety precaution when an error gets detected.

        Wrong. ECC does in indeed correct single bit errors. It requires a multi-bit error for ECC to cause a system crash.

      • Re: Not this again! (Score:4, Informative)

        by Fly Swatter ( 30498 ) on Thursday October 19, 2023 @06:04PM (#63938029) Homepage
        Maybe look up what ECC stands for [wikipedia.org].

        Hint, it contains the word Correction.
      • We were briefly at a point about 15 years ago when RAM was dirt-cheap relative to the cost of the rest of the system due to 32-bit Windows being effectively limited to 4gb at a point when adding enough extra bits to do hardware-level Solomon-Reed EC would have been do-able... but now that even 32gb of RAM is limiting, the cost of increasing the amount of RAM to add enough bits for actual error-correction is less valuable to end users than doubling the RAM and just ignoring occasional single-bit errors. If the user even notices one (because something crashes), they'll just blame Windows or a buggy driver *anyway*.

        All DDR5 memory has the extra bits for ECC. The only difference between registered and unregistered is signaling. Registered chips reliability is managed by memory controller rather than on chip. No fancy scrubbing et el.

  • by HotNeedleOfInquiry ( 598897 ) on Thursday October 19, 2023 @05:34PM (#63937967)
    I've been designing computer hardware for about 40 years. ANY hardware design that allows a program to damage or corrupt memory is just flat wrong.
    • I used to turn off DRAM refresh on my 8088 to make cycle counting tricks work. Of course the RAM contents are trashed if you leave it off for too long.

      Probably a bad example, a lot of what was done on the IBM PC's hardware design was pretty bad. It was very much a product of a rushed design team.

    • Not long after the 9-11 attacks, an American Airlines Airbus jet crashed over Long Island. This was blamed on the pilot pumping the rudder pedals vigorously enough to snap the tail off the airplane.

      The accident investigation revealed this not to be terrorism, rather, pilot error, a problem with pilot training or a design flaw.

      The plane encountered "wake turbulence" from a plane it was following in the traffic stream departing JFK airport. Wake turbulence is not your ordinary updrafts and downdrafts g

      • IANAP, but, from what I've read, the pilot overreacted to the wake turbulence (a known issue if you follow another big plane closely) and in the process subjected the vertical stabilizer to forces of well over twice their design limit. Pilot error probably due to insufficient pilot training was identified by the NTSB as the probable cause, and AA modified their training program accordingly.

        I do know that there are minimum distances required to separate aircraft taking off so that wake turbulence doesn't be

        • IAAP, and on thinking about it, I believe I encountered wake turbulence once.

          Pilots are trained to visualize the invisible vortex coming off a plane in front, and if possible, to climb above where you think the vortex is, which will be sinking. Other than, yes, a pilot can be an a$$hole and legally refuse a takeoff clearance, but generally, separation in lateral distance and in altitude in departures from large airports are dictated by air-traffic controllers.

          They will squawk at you over the radio "ca

  • by sjames ( 1099 ) on Thursday October 19, 2023 @06:04PM (#63938027) Homepage Journal

    You must at minimum configure the memory controller out of spec. The actual research was done with a custom memory controller implemented in an FPGA.

    There are very few applications where root exists but is not permitted to examine user process memory at will on real hardware. None of those work on anything POSIX like.

    • by srg33 ( 1095679 )

      Hmm, NO.

      You must at minimum configure the memory controller out of spec. The actual research was done with a custom memory controller implemented in an FPGA.

      The research did use an FPGA, BUT . . .
      p.2 bottom of 1st column
      "We demonstrate that a user-level program can induce RowPress bitflips in a real DDR4-based system that already employs RowHammer protection.
      The program accesses multiple different columns of the aggressor DRAM row so that the memory controller keeps the aggressor row open for a longer period of time . . ."

      There are very few applications where root exists but is not permitted to examine user process memory at will on real hardware. None of those work on anything POSIX like.

      POSIX may require guard space, but not always. The point is that a process/thread can use these techniques to flip adjacent memory re

      • by sjames ( 1099 )

        It's not a matter of guard space, it's a matter that you'll need to be root to have sufficient control over the system to pull off the attack, and root already has access to every process's RAM without an attack.

        This is only useful if root is not allowed to access other user's processes, which does not describe a POSIX system.

        These things do need to be fixed, if for no other reason they can have an effect on the stability and correctness of the system, but generally they require a highly contrived scenario

    • RHEL and Fedora both encourage blocking of ptrace() even to root using `setsebool -P deny_ptrace on` and confined root processes are usually blocked from reading the memory regions of other confined processes by default anyway.
  • by fahrbot-bot ( 874524 ) on Thursday October 19, 2023 @07:44PM (#63938171)

    Researches discover that DRAM bits can be flipped by violently shaking the system -- demonstrated by mounting a running laptop on a paint shaker.

In practice, failures in system development, like unemployment in Russia, happens a lot despite official propaganda to the contrary. -- Paul Licker

Working...