The obvious message here is...
... don't run code you don't trust on your machine, even if it has ECC.
Unfortunately Web designers still didn't seem to get the message.
Researchers in the Netherlands have confirmed that error-correcting code (ECC) protections can be thwarted to perform Rowhammer memory manipulation attacks. The Vrije Universiteit Amsterdam crew of Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos today said they have developed a viable method to precisely …
doesn't rowhammer require really good knowledge of the kernel internals to make use of it, at least for bypassing security? You'd need to hammer permission bits, for example, to access things that are normally not accessible, and for that you'd need to know where the bits are located (etc.) as well as a good idea about the RAM architecture is set up. I'd say that ECC still (at least) makes that harder to do, though obviously NOT impossible, like the lock on your door just slows 'them' down if 'they' REALLY want to get in, but of course I'm not going to be leaving my door UNlocked any time soon...
"But if three bits could be changed simultaneously, ECC would not catch the modification."
Wow! So they actually read up on how ECC memory that has been in used in servers for 30 years works! Are they hoping for some praise medals for participation?
It must be a really slow day if this is news.
"It must be a really slow day if this is news."
Where's your published paper on this, then, egghead? The point is showing that ECC can't stop Rowhammer attacks on adjacent RAM cells.
Also: the Meltdown vuln was stunningly trivial to exploit, and was staring people in the face for years, and was rightly heralded as a major find. Sometimes the obvious has to be pointed out.
C.
I've got to agree with the other commentards here. Wikipedia has the following sentence in the "Mitigation" section of its article on RowHammer (https://en.wikipedia.org/wiki/Row_hammer#Mitigation)
Tests show that simple ECC solutions, providing single-error correction and double-error detection (SEC DED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits per memory word.[1]:8[15]:32
That particular sentence has been in place, unmodified, since March of 2015. And as for published papers, those are referenced in the original Wiki article.
At best, these researchers can claim a repeatable demonstration of already known limitations of ECC under laboratory conditions.
Yes, that's exactly what's happened - confirmation. It's a demonstration of the attack. Just as it's one thing to say some software has a heap overflow, and quite another to develop an exploit to reliably and usefully exploit the flaw to achieve code execution.
To make everyone happy, I'll clarify it's a confirmation rather than a discovery.
C.
In defence of the OP, ( and to flog a dead horse), but in the original paper, Kim et. al. (978-1-4799-4394-4/14/$31.00 c 2014IEEE): Table 5 in section 6.3 shows up to 4 bit errors in a single word. This is called out as evidence that Single-Error-Correction-Double-Error-Detection is insufficient to mitigate this.
The OP's 'duh, yeah' was quite correct, and the follow-up criticism was quite wrong. The article here is sadly lacking -- I don't think basic math counts as "theoretically", and the proclaimed realization was realized in the original paper, 4 years ago.
Sure - rowhammer can be made to work - on certain hardware. I've yet to own a device on which it was reproducible using various test programs in 8 hours, and I doubt I'm that lucky. But if it can be made to flip 1 bit statistically in n seconds, then it follows that in n^2 seconds you should be able to flip 2 bits in the same row, and in n^3 seconds, flip 3 bits. But since we are into O(n^3) territory, I wouldn't lose sleep over it.
Yeah, as we said, it's difficult to exploit. ... diodesign
Difficult to Exploit, Nowadays with so much Virtual Machinery at our Disposal/Beck and Call?
I Don't Think So, diodesign. And be Assured IT is Perilous in Abuse and Misuse for Rewarding Merciful Justice is the Quick Fix/Temporary Patch of Future Shenanigans.
Present Prosecution Evidence ....
Initially more a curiosity than something many people worried about, the research community quickly learned how to weaponize the bit flips and completely compromise (“pwn”) many types of machine: PCs, smartphones, VMs in the cloud, etc. .... https://www.vusec.net/projects/eccploit/
And when SMARTR Weaponised, VMs in CHAOS ..... Clouds Hosting Advanced Operating Systems in Live Operational Virtual Environments.
Such is Easily Imagined Invincible and AlMighty. Protection against that is Vital for when Virile Viral is Unstoppable and Insatiably Curious.
A Little SomeThing for Virtual AIdVenture Channeling, El Reg. ..... Virgin Birth and Forward Presentation.
:-) Nothing to lose sleep over there, El Reg. Suddenly wider awake is infinitely more agreeable.:-)
Perhaps the article is taking the wrong slant. Everybody knows (or should) what ECC's limitations are. These guys are saying they've figured out a way to (eventually) breach those limitations. It would involve digging into their paper (can't be arsed) to see if this technique could be used to identify memory locations that are vulnerable, AND worthy of exploit (are you flipping bits in a sys call table, or in a bitmapped image), AND can be successfully changed by a precise number of bits to a much more desirable value, from the attacker's point of view.
It sounds like you could, after a week or so, achieve some minor data corruption. If you're really lucky, that corruption might cause another process to die. Super lucky, you might get a kernel panic. Super one-in-a-1-with-many-zeros-after-it chance lucky, you might be able to use it to run malicious code or gain permissions.
Personally, I would think the odds are significantly higher that the whole computer would be stolen in an Oceans' 11-style robbery. Or obliterated by a meteorite.
No one's saying ECC is bad - not us, not the researchers, pretty much no one - it's just that if you thought ECC would stop Rowhammer, you're sadly mistaken.
As we wrote in the article:
"The boffins said that their findings should not be taken as a condemnation of ECC either. Rather, it should show admins and security professionals that ECC is just one of several protection layers they should use..."
C.
Anyone who understands ECC and the the maths behind it would know this is part of the spec*. Anyone who does not, probably ought not to be publishing academic papers on the subject.
Many years ago (when 6502's were popular), I worked on a project where we were instructed NOT to correct the bits anyway, because larger numbers of erroneous bits might be falsely corrected and not reported. (This was not in the context of computer memory).
I first read about ECC in the 1960's, and the technology dates back to the 1940's or possibly earlier. This is not news, merely evidence that standards of education have been on the decline for a very long time.
* It is perfectly possible to specify ECC such that the number of incorrect bits that can be detected is higher. However, it might be harder to get anyone to pay for it.
"I would think the odds are significantly higher that the whole computer would be stolen"
As a matter of fact...
At a used-to-company, miscreants threw a heavy object through the front window of the office building, ran in, cut cables with wire cutters, grabbed the CPU boxen, and took off with the alarm blaring.
Then they did it again 2-3 weeks later, after the company got "all new computers". [I did the majority of the work from home and therefore had plenty of backups for my stuff and related projects].
Snatch-n-grab using low tech "steal a manhole cover and throw it through the window" and "cut all of the cables with wire cutters and run with the CPU boxen" is difficult to stop, but you CAN slow them down by using these lock & cable things [which I recommended after the 2nd theft, and bought some for myself].
That being said, thieves and miscreants will ALWAYS come up with a brute force and/or low tech way of defeating the highest tech security that you can possibly think up, like chaining up an ATM machine to a stolen towtruck and yanking it out of the bank office's wall.
The best security plan is to make sure that you slow them down as much as possible so that you're no longer "an easy mark".
ECC RAM apparently slows them down.
The trick of testing one bit at a time until you find three bits that are susceptible is clever, but the approach is risky (i.e., if only 2 of the 3 bits flip, you get an uncorrectable error that leaves lots of log information behind), and it is also easy to protect against. Every processor that I know of that supports ECC also supports a counter that measures corrected single-bit errors. We monitor these correctable error rates so we can replace error-prone DIMMs, which means that we also pay attention to who and what was running on the node when the corrected error rate increased. This monitoring could be automated, but that is not necessary -- having humans reviewing this data means that there is a decent chance that the attacker will get caught and locked out of the system. (This usually means that someone has hacked an authorized user's account, but occasionally an authorized user gets stupid....)
If you have malware running on your system that is capable of using this attack :O You have bigger issues to worry about.
ECC stands for Error Correction Code or at least it used to. It was designed to correct hardware memory issues when 2048k was considered large. Not to deal with what seen like addressing issues exploited by malware that has much easier avenues of attack/ spoof a UAC prompt.
Who says it is malware? If you are a cloud provider you have legitimate customers running whatever the hell they please. Are you going to be able to tell if they're trying to exploit rowhammer?
If it takes a week to manage the triple bit attack the attacker will be patient, because when they succeed they'll have access to the hypervisor and thus the VMs used by all the other customers on that particular server. Though it is quite possible they might gain access to far more, i.e. if they can access SSH keys either in the filesystem or in memory. Plus they'll have a foothold inside the cloud provider's network.
how easy would it be to discover enough about the VM host that you could predict how a rowhammer would affect your ability to "do something useful" to it? Unless, of course, you're just trying to be disruptive... .... bombastic bob
Now that discovery is One AlMighty Weapon and Heavenly Tool. What say you, bb?
Are you in Systems AIMaster Pilots .. Special Access Programs .....Routinely Base 0Day Examined with Autonomous Self Programming Beta Testing so "to do something useful" is Always Available, for IT is Enabling and can far too easily Lead to Sorry Insane Madness and Despicable Devout Despair.
It is a very strange, self destructive route to venture down whenever the Yin to that Yang is Out of This World Joy at New AI Programmer Beginnings with Openings for Live Operational Virtual Environments
with NEUKlearer HyperRadioProACTive Space Forces and Sources at Greater IntelAIgent Games Play.
Anything not there leading anyone to a misunderstanding?
Best Raise a Red Flag here for MI5. SOI .... Greater IntelAIgent Games Play with the Advantage of Hedged Edges Being Primed to Deliver Excess Success ..... an AlMighty Bounty Indeed in Deed.
Nothing to see here, El Regers. Move on please. All the reactive proaction to be realised is now centred with others elsewhere whilst they decide their next very smart move, ideally.
What else is Happened Today that Tomorrow will Tell as a Yesterday to be Fondly Remembered and Revered or Quickly Forgotten in Files Found Unmemorable? And will IT Change the Present to SomeThing Altogether Radically Different for Displays on Tomorrows News Screens with Alternate AIMedia Platforms Penetrations Testing Current News Cycle Recycling Programs and Protocols.
Taking them for a Test Run and Engaging Flight. That Really is Best Not Kept a Closed Top Secret Secret when the Freeing of Truth Delivers All Treasures both Fair and Spoiled/Good and Bad/Rad and Mad to Every Believer and Immaculate Disciple/Student Professor.
There are only a handful of viable VM technologies they could possibly use. You've got ESX, Hyper-V, and Xen, that's about it. The type of attack you'd use against each would be different, but you could try all three - though realistically it probably isn't hard to figure out what technology a particular cloud provider uses. Just check their job listings and see what skills they are looking for.
I am disappointed El Reg. Deeply dissappointed.
Then shalt thou count to three, no more, no less. Three shall be the number thou shalt count, and the number of the counting shall be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out. Once the number three, being the third number, be reached,thy shalt flip the bits of thyne foe, , who, being naught in My sight, shall offer thee all in his land.