Submitted via IRC for SoyCow1984
Potentially disastrous Rowhammer bitflips can bypass ECC protections
In early 2015, researchers unveiled Rowhammer, a cutting-edge hack that exploits unfixable physical weaknesses in the silicon of certain types of memory chips to transform data they stored. In the 42 months that have passed since then, an enhancement known as error-correcting code (or ECC) available in higher-end chips was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa.
Research published Wednesday has now shattered that assumption.
Dubbed ECCploit, the new Rowhammer attack bypasses ECC protections built into several widely used models of DDR3 chips. The exploit is the product of more than a year of painstaking research that used syringe needles to inject faults into chips and supercooled chips to observe how they responded when bits flipped. The resulting insights, along with some advanced math, allowed researchers in Vrije Universiteit Amsterdam's VUSec group to demonstrate that one of the key defenses against Rowhammer isn't sufficient.
Importantly, the researchers haven't demonstrated that ECCploit works against ECC in DDR4 chips, a newer type of memory chip favored by higher-end cloud services. They also haven't shown that ECCploit can penetrate hypervisors or secondary Rowhammer defenses. Nonetheless, the bypass of ECC is a major milestone that suggests that the threat of Rowhammer continues to evolve and can't easily be discounted.
Related Stories
MRAM Tech Startup Says Its Device Solves DRAM's Row Hammer Vulnerability
Fremont, Calif.-based magnetic RAM startup, Spin Memory, says it has developed a transistor that allows MRAM and resistive RAM to be scaled down considerably. According to the company, the device could also defeat a stubborn security vulnerability in DRAM called Row Hammer.
Spin Memory calls the device the "Universal Selector." In a memory cell, the selector is the transistor used to access the memory element—a magnetic tunnel junction in MRAM, a resistive material in RRAM, and a capacitor in DRAM. These are usually built into the body of the silicon, with the memory element constructed above them. Making the selector smaller and simplifying the layout of interconnects that contact it, leads to more compact memory cells.
[...] With DRAM, the main memory of choice for computers, the Universal Selector has an interesting side-effect: it should make the memory immune to the Row Hammer. This vulnerability occurs when a row of DRAM cells is rapidly charged and discharged. (Basically, flipping the bits at an extremely high rate.) Stray charge from this action can migrate to a neighboring row of cells, corrupting the bits there. [...] According to Lewis, the new device is immune to this problem because the transistor channel is outside of the bulk of the silicon, and so it's isolated from the wandering charge. "This is a root-cause fix for row hammer," he says.
Related: The Rowhammer is Here... Next Heartbleed?
DRAM Leakage Side Effect Exploited for Privilege Escalation on Both DDR3 & DDR4
Everspin Announces New MRAM Products
Potentially Disastrous Rowhammer Bitflips Can Bypass ECC Protections
Samsung Announces Mass Production of Commercial Embedded Magnetic Random Access Memory (eMRAM)
Researchers Use Rowhammer Bit Flips to Steal 2048-bit Crypto Key
GlobalFoundries Produces Embedded Magnetoresistive Non-Volatile Memory (eMRAM) on a "22nm" Process
(Score: 0) by Anonymous Coward on Friday November 23 2018, @10:35PM (1 child)
DDR5 will be out in 2019. I'm not sure how many data centers are still using old servers with DDR3 RAM, but there will be a flood of DDR5 servers in high quality data centers pretty soon.
(Score: 1, Informative) by Anonymous Coward on Friday November 23 2018, @10:58PM
...until some clever bug-hunter discovers a gap in DDR5... At the end of the day, my computer needs its CPU (Intel bugs be damned) and memory (DDRn bugs be damned). The show must go on and we shall compute. We cannot panic and give up because of some loud security circus orchestra in the vicinity.
(Score: 1, Informative) by Anonymous Coward on Friday November 23 2018, @10:40PM (2 children)
Uh, no one who understood what ECC does would think it was an absolute defense, obviously it does not protect against 3 or more simultaneous flips:
https://en.m.wikipedia.org/wiki/ECC_memory [wikipedia.org]
(Score: 0) by Anonymous Coward on Saturday November 24 2018, @03:14AM
I talked to a guy a few months back who was an electrical engineer (but not on memory). He stated these were well known flaws existing since DDR came to be, but being exacerbated with every new edge utilized in DDR2/3/4 standards. The ONLY way you can eliminate the conditions that allow rowhammer to happen at data rates higher than non-DDR SDRAM allows is to run buffered memory. So unless and until buffered memory is supported on consumer grade hardware, the risks of rowhammer style attacks will continue, because the memory bus timings cannot deal with all rowhammer triggers without losing all performance improvements, or utilizing buffering.
(Score: 2) by driverless on Sunday November 25 2018, @12:25PM
Meh, I write code for rad-hard environments, random memory faults are just part of day-to-day operations. I blow my nose on you, so-called Row-hammer, you and your silly ECcchhchccCChhhs.
(Score: 2) by darkfeline on Sunday November 25 2018, @01:15AM
I'm going to restate my hypothesis from a while ago: the only way to be safe is to not run untrusted code. There will always be vulnerabilities, both hardware and software. By only running "good" code at least you have a fighting chance at security.
Join the SDF Public Access UNIX System today!