Stories
Slash Boxes
Comments

SoylentNews is people

Introducing Half-Double: New Hammering Technique for DRAM Rowhammer Bug

posted by martyb on Wednesday May 26 2021, @05:42AM   Printer-friendly
from the if-i-had-a-(row)-hammer dept.

upstart writes in with an IRC submission for AzumaHazuki:

Introducing Half-Double: New hammering technique for DRAM Rowhammer bug:

Today, we are sharing details around our discovery of Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory.

[...] As DDR4 became widely adopted, it appeared as though Rowhammer had faded away thanks in part to these built-in defense mechanisms. However, in 2020, the TRRespass paper showed how to reverse-engineer and neutralize the defense by distributing accesses, demonstrating that Rowhammer techniques are still viable. Earlier this year, the SMASH research went one step further and demonstrated exploitation from JavaScript, without invoking cache-management primitives or system calls.

Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the "aggressor"), bit flips were found only in the two adjacent rows (the "victims"). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to "transport" the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Introducing Half-Double: New Hammering Technique for DRAM Rowhammer Bug | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by bzipitidoo on Wednesday May 26 2021, @08:23AM (4 children)

    by bzipitidoo (4388) Subscriber Badge on Wednesday May 26 2021, @08:23AM (#1138870) Journal

    How about dealing with this by adding a new item on the hardware end of things, RAM that is slower, but much more secure? Wouldn't be all that different from all the caching that is done now. And we've already wandered down the path of specialized memory, with, for instance, GDDR RAM for graphics.

    This "secure RAM" (SSDR, for Secure Single Data Rate?) would zero itself when freed (and have means of tracking whether it is allocated or not), as well as not suffer from Rowhammer. Because, let's face it, most activity simply doesn't need any security from Rowhammer, it's only the handling of passwords and such like sensitive data that needs to be done securely. 16 megabytes should be way more than enough RAM to handle a few passwords and a login utility.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 26 2021, @09:02AM (3 children)

    by Anonymous Coward on Wednesday May 26 2021, @09:02AM (#1138877)
    Some years ago my system started getting less stable, every number of months it would blue screen. Being a cheapskate instead of buying new hardware I reduced the RAM refresh interval and no unexpected blue screens since. But apparently slight reductions aren't enough to protect against row hammer (needs to be 1/7th) see page 26: http://users.ece.cmu.edu/~omutlu/pub/dram-row-hammer_kim_talk_isca14.pdf

    I think my chosen interval reduction only reduces the row hammer error rate by a factor of about a thousand. In practice my DRAM is probably older and "weaker" so go figure...

    ECC is helpful but in theory there are ECC attacks too. That said, I doubt attempts to flip bits would be perfect the first time round. So if your system alerts you to ECC issues then you should notice row hammer attacks. Whether you notice them in time is another issue.

    I suspect a combination of ECC and refresh interval reduction should make things much harder for the attacker.

    • (Score: 2) by RS3 on Wednesday May 26 2021, @05:05PM (2 children)

      by RS3 (6367) on Wednesday May 26 2021, @05:05PM (#1139010)

      I'm curious what kind of system allows you to vary RAM refresh rate. Is that in BIOS/UEFI, or do you have a utility?

      Did you run memtest86?

      • (Score: 2, Informative) by jurov on Wednesday May 26 2021, @05:53PM (1 child)

        by jurov (6250) on Wednesday May 26 2021, @05:53PM (#1139032)

        Yes, on desktop mainboards it is usually possible to configure of DRAM clock and timing. In BIOS setup.

        • (Score: 2) by RS3 on Friday June 04 2021, @08:08AM

          by RS3 (6367) on Friday June 04 2021, @08:08AM (#1141708)

          I'm not sure I'd say "usually". Aftermarket ones usually do, and that's part of their appeal, but OEMs like to lock most of that stuff down. Well, by "OEM" I mean major names like Dell, HP, Lenovo, etc. Alienware probably lets you tweak up a storm. Are you aware of any major label computers that let you make any significant changes to RAM timing, bus speeds, etc? Maybe there are more than I'm aware of...