SoylentNews is people
SoylentNews
Introducing Half-Double: New hammering technique for DRAM Rowhammer bug:
Today, we are sharing details around our discovery of Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.
[...] As DDR4 became widely adopted, it appeared as though Rowhammer had faded away thanks in part to these built-in defense mechanisms. However, in 2020, the TRRespass paper showed how to reverse-engineer and neutralize the defense by distributing accesses, demonstrating that Rowhammer techniques are still viable. Earlier this year, the SMASH research went one step further and demonstrated exploitation from JavaScript, without invoking cache-management primitives or system calls.
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the "aggressor"), bit flips were found only in the two adjacent rows (the "victims"). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to "transport" the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.
(Score: 1) by shrewdsheep on Wednesday May 26 2021, @07:59AM (2 children)
I am wondering whether encrypting or rather transforming memory could be a solution. If memory is encrypted (let's say per row) and the key is changed with every memory refresh, wouldn't that solve row-hammer? The "encryption" could be as simple as XOR-ing with a random key which could also be short. Maybe, even a single bit would be enough, indicating whether memory is stored plain or bit-flipped.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 26 2021, @08:22AM (1 child)
ECC memory is a better solution. It both detects the attack in a way you could act on and corrects them (ex: your OS could notice that you have high ram error rates and take action before you get uncorrected errors, possibly including throttling the process causing the issue and/or reporting the attempted attack to the user)
You can blame Intel's market segmentation efforts for causing ECC to basically not exist in the consumer space.
Memory encryption would could help as well (and there is tech to do that in some modern CPUs)
(Score: 0) by Anonymous Coward on Wednesday May 26 2021, @10:33AM
If you look at the papers, ECC is not foolproof either. There are mitigation that do work for rowhammer type attacks that do work and some are even in later versions of the JEDEC specs. The problem, as Trespass showed, is that manufacturers would rather not follow them to maintain their speed advantage, however slight it is on synthetic benchmarks.