back to article When the world ends, all that will be left are cockroaches and new Rowhammer attacks: RAM defenses broken again

Boffins at ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies have found that varying the order, regularity, and intensity of rowhammer attacks on memory chips can defeat defenses, thereby compromising security on any device with DRAM. The vulnerability, tracked as CVE-2021-42114 with a severity of 9 out of 10 …

  1. Snake Silver badge

    Open season!

    "Until the industry comes up with a better way to defend memory against rowhammer, the security-conscious cloud customers may want to keep their cores to themselves."

    Or seriously consider mitigating the vulnerability at the source (for remote attacks): JavaScript.

    1. Clausewitz 4.0
      Devil

      Re: Open season!

      Actually, in the cloud, the source of attack is any instance you fire up and have root access.

      The target is the hypervisor - and all other customers instances running under the same HV.

    2. Brewster's Angle Grinder Silver badge

      This is why users hate IT departments...

      In order to make the internet safe, you want to neuter it to a point that most people would consider it broken and stop using it.

      You're, of course, welcome to disable javascript or not use the internet. But this is not going to fly with the vast majority of the human race, especially for a rectifiable hardware design fault.

  2. swm

    Whatever happened to parity or ECC memory?

    1. devin3782

      Blame Intel for disabling it on their consumer CPU's. I use ECC memory on my Ryzen CPU as it is supported i.e. it works but it doesnt seem to report bit flip corrections or at least I've not noticed it.

      One thing I have noticed is that applications crash less but thats my perception so take that for what it is.

      I know many say DDR5 has ECC but thats only on the memory IC it isn't true ECC as we know from ZFS the only way to do partity is end-to-end so the cpu verifies what it has recieved from memory

      1. Aitor 1

        Intel

        Yes, they are to blame. We do need ECC, but hey, let´s segment the markets..

      2. Anonymous Coward
        Anonymous Coward

        I do. As Linus pointed out, NO ONE should be using non-ECC memory for business at ANY level of the organization. Consumer memory is just too prone to failure.

        Unfortunately, when you look at how Intel gouges you for ECC-capable chips compared to similar performance in their crippled consumer chips, you can see why business opts for an $800 micro PC for reception instead of a $2500 workstation...

        1. Peter Gathercole Silver badge

          @msobkow

          When it comes to the PC on reception, the tradeoff is how much time will be lost if the PC falls over or applications fail because of bit errors.

          In your case, if it is $1700 worth of loss over the lifetime of the system, it may be worthwhile to put a system with ECC memory on reception. But I suspect that it would be difficult to say that loss of time due to bit corruption on the reception PC will exceed this figure. And the chance of someone doing damage and/or getting restricted info using a Rowhammer attack on the PC on reception is probably very low.

          For other workstations, it is probably a bit more marginal, as I'm sure that there are some people in an organization whose role or time is so valuable that you really don't want them losing any time. But that will not be everyone.

          On top of this, buying more capable systems is capital expenditure in the IT budget. Lost people time is operational expenditure on various departmental budgets. Bean Counters and shareholders don't like unnecessary (to them) capital expenditure, Not every company has a BOFH to come up with reasons to buy more expensive kit, although are BOFHs altruistic to this degree?

          No. The real place for ECC memory is in server systems, where losing one server could impact many people's work, and also where valuable information lives.

          If there was only a slight difference in price, I would agree with you, but your figures suggest that the difference is quite high.

          1. Anonymous Coward
            Anonymous Coward

            Re: @msobkow

            You think reception doesn't use the secure systems?

            I point you to a multi-decade history of phishing attacks on "low level" employees...

            1. John Brown (no body) Silver badge

              Re: @msobkow

              And not forgetting that a "receptionist" often does a lot more than what most people might think, and therefore may have access to more of the network than just email/Teams and a phone directory. As you say, any foot-hold into a network can be valuable. Even the Deathstar had a thermal vent!

            2. Peter Gathercole Silver badge

              Re: @msobkow

              Well, if I were setting this up, reception would have just what they needed, and no more. And the system (probably being outside of the controlled space of the office) would be treated as an external system, and locked down hard, with filrewalls between it and the internal systems, and probably MAC level authentication on the switch ports as well.

              None of this would give perfect protection, but each is another brick in the wall.

              Segregation of authority and access seems to be something that infrastructure designers seem to have forgotten.

              I'm not sure how phishing relates to rowhammer attackes, though. In order to obtain data through rowhammer type attacks, you need to get code running on the system being attacked, and it needs to have access to important data that can be leaked once privilege escalation has been achieved. Even if you manage to insert a key logger or remote control software after achieving privilege escalation, if reception is locked down, the options are limited.

              And I'm actually intrigued about how successful rowhammer attacks are at leaking data. As I read it, in order to have some idea of being able to achieve privilege escalation, you need to know the physical and virtual memory layout of the running system at both a hypervisor and OS level, and the geometry and type of the RAM being attacked. Much of this is outside of a processes view of the system, and most times, if you just randomly flip bits in memory in adjacent lines, you will have almost zero idea of what you've changed and what effect it will have.

              If it's memory being used by the hypervisor, you may crash the whole system, If it's part of the OS memory space, you might affect that OS instance on the system. If it's application memory, you might take out that application, or just randomly corrupt some data somewhere.

              I'm sure that if you know some of the geometry of a system it is possible to do some constructively bad things, but IMHO, much of this is unlikely, and the best you will achieve is a DoS attack.

          2. Nate Amsden

            Re: @msobkow

            To me, ECC alone hasn't been enough for real servers for a long time. I remember reading this more than a decade ago regarding HP's "Advanced ECC"

            http://service1.pcconnection.com/PDF/AdvMemoryProtection.pdf

            The document is so old they reference generation 2 servers, of which I was deploying back in 2004 (2005 at the latest) maybe?

            from the pdf

            "To improve memory protection beyond standard ECC, HP introduced Advanced ECC technology in 1996. HP and most other server manufacturers continue to use this solution in industry-standard products. Advanced ECC can correct a multi-bit error that occurs within one DRAM chip; thus, it can correct a complete DRAM chip failure. In Advanced ECC with 4-bit (x4) memory devices, each chip contributes four bits of data to the data word. The four bits from each chip are distributed across four ECC devices (one bit per ECC device), so that an error in one chip could produce up to four separate single-bit errors."

            I've always wondered how well Advanced ECC does against these attacks. I have read ECC alone is enough to defeat them as they stand today, but have not noticed if Advanced ECC has any further benefit beyond regular ECC in this security scenario.

            IBM has/had a similar technology called ChipKill:

            https://en.wikipedia.org/wiki/Chipkill

            (update)

            Came across a PDF linked in above article from HP:

            http://ftp.ext.hp.com//pub/c-products/servers/options/Memory-Config-Recommendations-for-Intel-Xeon-5500-Series-Servers-Rev1.pdf

            Which puts things into plainer english

            "Note that Advanced ECC is equivalent to 4-bit ChipKill. Lockstep gets us to 8-bit ChipKill. ChipKill just indicates that an entire DRAM chip can die and the server will keep running.

            Negatives of Lock Step Mode:

            - You have to leave one of the three memory channels on each processor un-populated, so you cut your available number of DIMM slots by 1/3.

            - Performance is measurably slower than normal Advanced ECC mode.

            - You can only isolate uncorrectable memory errors to a pair of DIMMs (instead of down to a single DIMM)."

            I do remember turning on "Advanced ECC" in a Dell server(was happy to see the option appear in the bios at the time this was back in 2010 I think), however was sad to see when it disabled a bunch of the dimm slots, I assume for fault tolerance. HP has a similar option called something like "Online spare memory" where some banks are kept in reserve(on my 384GB systems it lowered addressable memory to 320GB). I don't know any info on Dell's implementation if it was just online spare memory and they called it Advanced ECC or if it was some other approach. And perhaps they have improved it a bunch in the past decade. (update) I am guessing Dell's "Advanced ECC" was Intel Lockstep.

            I have been quite surprised that others haven't come up with similar technology (thinking Supermicro and other smaller players). Or perhaps they have and I'm just not aware of it.

          3. Henry Wertz 1 Gold badge

            Re: @msobkow

            "When it comes to the PC on reception, the tradeoff is how much time will be lost if the PC falls over or applications fail because of bit errors."

            But if that 1 o'clock appointment becomes 3 o'clock because bit 2 flips, that's a problem. I had one dimm go bad (like 20 years ago) no crashes but I wonder why firefox's "file" menu had a typo in it (yep, the flipped bit flipped menu text rather than code, by dumb luck.) It ALSO at some times used the bad RAM for the disk cache so (after I finally realized the ram was bad and replaced it...) I was glad to see Ubuntu has a procedure for reinstalling *every* package on the system, since it became apparent several were corrupted at installation time.

          4. DuncanLarge Silver badge

            Re: @msobkow

            > And the chance of someone doing damage and/or getting restricted info using a Rowhammer attack on the PC on reception is probably very low.

            Where did you hear that guff?

            Ahem, look up RSA.

            Reception computers should be considered in a DMZ!

            > No. The real place for ECC memory is in server systems

            What??

            If your employees are doing nothing but use the IT equipment to play candycrush, sure. But I bet they are doing many critical things, involving secure keys, certificate validation, file share access, oh and how about a bit of bitlocker and the good old LOGIN SCREEN.

            You know that ADMIN accounts tend to be used to make changes to user machines, adding hardware etc. Guess where all that validation happens. Hint, its not in the keyboard.

            If you cant see just how critical the memory contents in an endpoint is these days then you clearly have no idea how a computer works. Things have moved on since the C64 mate.

            EVERYTHING should have ECC ram, its literally just a few extra bits on a word! Tablets, phones, laptops. It wont stop all attacks, it cant handle too many bit flips, but it will stop the vast majority of attacks as they will go for the weak targets.

            > No. The real place for ECC memory is in server systems

            I post that again as I want to ask.

            What systems talk to your servers?

            What systems send and pull data from your servers?

            Laptops perhaps?

            QED

  3. This post has been deleted by its author

  4. Blackjack Silver badge

    Has this been used to hack any videogame console yet? I am honesty curious.

    1. Henry Wertz 1 Gold badge

      Sort of. There were a few game exploits and such where one would "glitch" the game (I recall on Nintendo... second hand, I didn't own one), they would reset it rapidly or jiggle the cartridge at the right time or whatever, it'd either crash (if the wrong bits flipped), or flip the right bits and they'd get whatever powerups or whatever the glitch would gain them.

      Also the directv and dish network hackers 10 or 15 years ago (edit; probably more like 20 years or more) would do similar glitching when trying to read out keys on access cards or whatever they were doing,

  5. Henry Wertz 1 Gold badge

    Alarming

    I find these attacks alarming. Not worrying about myself being exploited. But I would REALLY like to think I can access regular, non-overclocked RAM in any way I want without flipping bits on it.

  6. John Savard

    Another Approach?

    Is static RAM vulnerable to attacks like Rowhammer? Maybe the thing to do would be to include a static RAM cache inside DRAM chips. This would prevent a CPU running Rowhammer from having direct access to the DRAM.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like