back to article Oh, great, now there's a SECOND remote Rowhammer exploit

Hard on the heels of the first network-based Rowhammer attack, some of the boffins involved in discovering Meltdown/Spectre have shown off their own technique for flipping bits using network requests. With a gigabit connection to the victim, the researchers reckon, they can induce security-critical bit flips using crafted …

  1. bombastic bob Silver badge
    Devil

    this sounds like you'd need to know something about the hardware

    I suspect that direct access to the network is one of the pre-requisites, and with direct network access you'd be able to determine what hardware is being run [more or less] based on its MAC address.

    However, I'd doubt any kind of proof of concept working across "teh intarwebs", even with a super-fast fiber line and distributed attack.

    subsequent edit. From the linked article (PDF):

    To induce the Rowhammer bug, one needs to access memory in the main memory repeatedly and, thus, needs to circumvent the cache. Therefore, either native flush in-structions [87], eviction [4, 28] or uncached memory [84] can be used to remove data from the cache. In particular, for eviction-based Nethammer, the system must use Intel CAT as described in Section 2.3 in a configuration that restricts the number of ways available to a virtual machine in a cloud scenario to guarantee performance to other co-located machines [40]. If none of these capabilities are available over the network, an attacker could not mount Nethammer in practice.

    1. Anonymous Coward
      Anonymous Coward

      'However, I'd doubt any kind of proof of concept working across "teh intarwebs" '

      You can maybe get hold of a machine inside a "cloud" system, and then mount attacks from there...

      There's a common misconception that a successful attack is performed with a single spectacular shove, and then everything is wide open - that happens mostly only in movies.

      Deep and successful attacks are performed using a variety of techniques adapted to the target system.

      Sure, if you write a ransomware you're going for the low hanging fruit, you're not targeting specific systems, you just unleash it and hope it will find systems it can break.

  2. Anonymous Coward
    Anonymous Coward

    Thank $DEITY

    that I have a crappy BT ADSL link that throttles throughput to siginicantly less than 500 Mb/s.

    1. Pascal Monett Silver badge

      Re: Thank $DEITY

      That is pretty much all ADSL lines, I think. Mine works at up to 11Mbps and I think that's rather fast for ADSL.

      Can't wait for fiber and a 100Mbps line.

  3. Danny 14

    enterprise and probably SME should have switches configured to avoid these scenarios anyway. plus, qos is usually configured a little better (or disabled).

  4. Andy00ff00

    Remind me what memory ECC is for

    Dear lazy web,

    Why does memory ECC not make rowhammer impotent on all but the cheapest PCs?

    1. Lee D Silver badge

      Re: Remind me what memory ECC is for

      Dear person who couldn't do a 2-second Google:

      "Tests show that simple ECC solutions, providing single-error correction and double-error detection (SECDED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits per memory word."

      You're welcome.

    2. Gordan

      Re: Remind me what memory ECC is for

      The simple fact is that ECC _does_ make rowhammer ineffective in the few cases where it might plausibly be exploitable.

      Flipping one bit is hard. Flipping two bits in the same memory row at the same time is exponentially harder. Flipping three bits is exponentially harder again.

      ECC memory can:

      1) Correct 1 bit errors transparently

      2) Detect 2 bit errors (causes an NME and typically a kernel panic)

      It takes flipping 3 flipped bits in the same row of memory to introduce an undetectable memory corruption with ECC memory. And flipping one is difficult enough. Not to mention you have to get extremely lucky to be operating on a row of memory adjecent to the one you are interested in corrupting.

      TL;DR: Don't lose sleep over it, especially if you have ECC memory.

      1. Destroy All Monsters Silver badge
        Headmaster

        Re: Remind me what memory ECC is for

        Flipping one bit is hard. Flipping two bits in the same memory row at the same time is exponentially harder. Flipping three bits is exponentially harder again.

        I have strong doubts about the correct usage of "exponentially" and/or about the exponent that would actually apply.

  5. Nimby
    Boffin

    Evolution

    I think the danger is not in this specific attack, but in that now that the theory has been proven in practice in one case, variants and refinements can be developed with confidence. For better or worse, people are creative. Nature is a good teacher. Evolution is the key to success.

  6. BinkyTheMagicPaperclip Silver badge

    Is it actually viable outside the lab?

    Last time I looked at Rowhammer, there was no follow up media coverage (hint, hinty, hint hint) to assess how much of a problem it actually was.

    On the rowhammer forums there's practically no comments, and appears not to be a particular problem in the real world. Maybe if you're a nation state guarding something particularly valuable, but for the average user?

    1. Lee D Silver badge

      Re: Is it actually viable outside the lab?

      "On the rowhammer forums there's practically no comments, and appears not to be a particular problem in the real world. Maybe if you're a nation state guarding something particularly valuable, but for the average user?"

      Pretty much this sums up almost all security problems, doesn't it?

      I can't remember the last time people were sent to scramble for something. WannaCry hit those people who don't run Windows Update. Nothing really came of BEAST and POODLE, but obviously yes we do need to patch our services and remove the vulnerability, etc. Spectre and Meltdown - sure, they'll generate new ways into the system but they're already being patched out and I'm not sure anything is actually exploiting them on any kind of large scale yet as they're not that easy to exploit and rely on already running arbitrary code on a system.

      Pretty much, the average person just needs to do what they've been told to do. Update. Install some kind of defence (this could mean just Windows Firewall and Windows Defender, for instance, but most people know to go the extra mile and get something else). Nobody is saying it'll be guaranteed, but you're kinda done at that point and anything further is not something you could expect the average home user to do or understand.

      This is why I don't get the publicity over some of these things. Y2K never affected home users. You could patch it and fix it and workaround it as a techy and nobody would ever have known it was a problem. Since then, every exploit has a big fuss made of it, and pretty much only us techy guys who have to fix the problems / apply the fixes really care, and we get to know about it anyway (all the "brand-name" exploits are really just hype, from what I see, and yet things like the Windows CredSSP exploit against RD and VPN seems much more serious and is only known about by a CVE number).

      Do you really think that the answer is ever going to be more than "yes, it's a problem, yes, we're trying to patch against it, no, we can't fix every possible avenue, yes, we'll combat it in the next generation of hardware/software, in the meantime make sure you keep up to date" for any of these problems?

      1. BinkyTheMagicPaperclip Silver badge

        Re: Is it actually viable outside the lab?

        With respect to older embedded devices using dated encryption, in some cases it is a case of 'stick it in the bin'

        I think it's unlikely we'll see a really basic unpatchable flaw, but with the recent spate of side channel attacks, who knows? The PC platform has so many rough edges and poorly implemented specifications that it's unreal (one of my favourites being the CDROM manufacturer that used a command commonly used for other functions to equal 'brick the firmware')

        1. Solmyr ibn Wali Barad

          Re: Is it actually viable outside the lab?

          "one of my favourites being the CDROM manufacturer that used a command commonly used for other functions to equal 'brick the firmware'"

          Yup, that one was a neat job. CD-RW write cache flush command wasn't necessary for the CD-ROM drive. Fair enough. But instead of simply ignoring it, they interpreted it as firmware download command. Which erased the current drive firmware (without further checks) and started to wait for a new firmware image. Pretty botched-up thinking.

  7. Anonymous Coward
    Anonymous Coward

    Address mapping

    Anyone like to 'speculate' on how easy it is for the remote code to find relevant chunks of DRAM where an undetected (never mind uncorrected) bit flip might lead to an actual visible security risk?

    Now rewire the address bus between processor and DRAM, e.g. renumber the address lines. The processor doesn't care, it writes to an address and gets the same data back, just as it always did. The board level design might have to care, (e.g. DMA-capable stuff if there is any).

    Now make that address bus rewiring programmable (e.g. selectable at power-up time), so that e.g. any given OS kernel address may map to different DRAM rows and columns depending on the direction of the wind or whatever.

    Now what are the odds that Rowhammer-style attacks are meaningful? Genuine question, all valid and trustworthy input gratefully received.

    Back in the days of 2708->2764 eproms and things like DataIO programmers, this effect was frequently achieved unintentionally at one place I knew, when the in-house programming software had forgotten to account for the non-standard use of address line numbering on their system designs. All the stuff was programmed correctly, it just wasn't in the correct order (to paraphrase).

    Might something similar be relevant here (considering DRAM address lines instead of EPROM)?

  8. Anonymous Coward
    Anonymous Coward

    As expected there will be a lot of poopooing...

    ...until someone notices that there has already been abuse of this vector for some time.

    It would have been nice if the CPU vendors accepted the failures in their designs and replaced their faulty hardware but since ethics is seen as a detractor in business then it will need someone with enough money to bring them to book before anything happens.

    x86 platform is not secure anyone who says otherwise is doing so because they are paid to spread lies or because they are ignorant parrots.

    1. Anonymous Coward
      Anonymous Coward

      Re: As expected there will be a lot of poopooing...

      "x86 platform is not secure"

      Some folks have been saying that for ages, and it's now accepted by well-informed and sensible people, based on the available evidence. Charlie Demerjian at SemiAccurate.com springs to mind, there are probably others, but until recently, things like the Intel Management Engine issues had very limited visibility in the technology press (even in the "security" comedians publications).

      SemiAccurate published an article earlier this month, which I haven't seen in full, on the re-emergence of "contra revenue" at Intel, and the lack of emergence of Intel 10nm parts into real products - even though that was first scheduled to happen in 2015 or so?!

      https://www.tomshardware.co.uk/intel-cpu-10nm-earnings-amd,news-58336.html (Article published 27 April 2018 after Intel's financial results included more details of 10nm delays. See also: Intel recruit Jim Keller:

      https://www.tomshardware.co.uk/amd-intel-jim-keller-hire,news-58332.html )

      ["Contra revenue": a name for Intel's payments (er, subsidies) to system builders in markets where Intel would otherwise be a hopeless basket case, e.g. low power/mobile/SoC]

      Maybe, just maybe, Intel's cash pile and product pipeline isn't as secure as it used to be either.

      "there will be a lot of poopooing...

      ...until someone notices that there has already been abuse of this [*hammer?] vector for some time."

      Evidence?

      "ethics is seen as a detractor in business"

      There's increasing evidence that applies to *corporate*-scale business in the UK and US in particular. Less applicable elsewhere, arguably (or maybe I'm unfamiliar with the evidence).

      E.g. various banks in the UK started life a couple of centuries or more ago, as small local and eventually regional operations where real money was left in the hands of trustworthy businesses for safe keeping, often as a sideline to an otherwise unrelated business.

      Barclays Bank started life as one of these outfits.

      After a while, some banksm Barclays included, found that the handling of money became more profitable for them than the other formerly more productive bits of the business, and the rest is history (particularly in the UK and the USA).

      Evidence: start at e.g.

      http://www.quakersintheworld.org/quakers-in-action/327/Barclays-Bank-and-its-Quaker-roots

      https://www.archive.barclays.com/items/show/5419

      [edit: add Jim Keller mention]

  9. Anonymous Coward
    Anonymous Coward

    Yet more security-theatre clickbait?

    People round here make fun of the air travel industry's "security theater", and for good reason, but isn't much recent "security" coverage round here just as bad, if not worse?

    If I may re-use Starace's words from a few days ago:

    "Security researcher clickbait

    You really need to introduce some editorial control over reporting this 'researcher' bollocks.

    [...]

    99.9% of these stories are total bullshit by people trying to get publicity [...]"

    Me again: consider my subscription bitflipped.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet more security-theatre clickbait?

      It'd be theatre if it was mainstream. But this is a tech/security website and therefore a bit more 3am fringe than Saturday West End. Researchers will justifiably always trumpet their work and it's up to the press and peers to call out the relevance and importance of the work. At the end of the day it's research though that in turn spawns further research out of which something may blossom.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon