Grandchild of Rowhammer: ‘Half-Double’ Tactic Flips Farther Bits
Rowhammer—an attack tactic to escape sandboxes by flipping “neighboring” bits—has a new variant. And it’s been made easier by newer designs of RAM chips.
DDR4 memory is getting denser, which means the individual bits are physically closer together. That’s allowed researchers to attack memory that’s further away than simply next door, by hammering differently.
This new variant, which the team dubbed Half-Double, presents a “substantial challenge.” In today’s SB Blogwatch, we double down, with no half measures.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Indy vs. F1.
I Want My ECC
What’s the craic? Catalin Cimpanu reports—“Rowhammer attacks are gaining range as RAM is getting smaller”:
Discovery is monumental”
A team of Google security researchers said they discovered a new way to perform Rowhammer attacks against computer memory … that broadens the attack’s initial impact. … In the initial 2014 Rowhammer paper, researchers showed how they could abuse “row hammering” to control … electromagnetic fields and the way that data was manipulated.
…
But in a research paper … a team of five Google security researchers took Rowhammer attacks to a new level. In a new attack variation … researchers said they managed to carry out a Rowhammer attack that caused bit flips at a distance of two rows from the “hammered” row instead of just one.
…
But while there are no known cases where Rowhammer attacks have been used in the real world, [this] discovery is monumental, at least from an academic standpoint. … “The challenge is substantial and the ramifications are industry-wide,” … Google said.
Row-whatnow? George Dascalu contextualizes—“What is a Rowhammer attack?”:
Identify viable solutions”
Rowhammer attacks, like speculative execution, exploit the underlying hardware’s basic security guarantees. Rowhammer is a class of DRAM vulnerabilities discovered in 2014 in which repeated visits to a line of memory (aggressor) can generate an electrical disturbance strong enough to flip bits stored in a neighboring line (victim), allowing untrusted code to escape its sandbox.
…
While DRAM providers have deployed countermeasures … the mitigations were confined to two immediate neighbors of an attacker row, omitting memory cells within two rows of each other. Because of the flaws in the protections, [they can] be circumvented.
…
Google [is] collaborating with the Joint Electron Device Engineering Council (JEDEC), an independent standards body and trade organization for semiconductor technology, as well as other industry partners, to identify viable solutions.
Who discovered the latest wrinkle? Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu and Mattias Nissler tag-team to test “Half-Double: New hammering technique for DRAM”:
Join the effort”
Today, we are sharing details around our discovery of Half-Double, a new Rowhammer technique that capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory. … As an electrical coupling phenomenon … Rowhammer allows the potential bypass of hardware and software memory protection. … Earlier this year, the SMASH research went one step further and demonstrated exploitation from JavaScript [i.e., from a web page].
…
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors.
…
Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful … to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to “transport” the Rowhammer effect of A onto C. … Half-Double is an intrinsic property of the underlying silicon substrate. … Distances greater than two are conceivable.
…
We are disclosing this work because we believe that it significantly advances the understanding of the Rowhammer phenomenon, and that it will help both researchers and industry partners to work together, to develop lasting solutions. … We encourage all stakeholders (server, client, mobile, automotive, IoT) to join the effort to develop a practical and effective solution.
Should we worry about it? Kevin Foley answers—“Is it a problem for gamers?”:
Avoid the risk”
If you’re the type that likes to protect your system and you stick to all of the important common security measures, you’ll likely never have to worry about Rowhammer beating the drums of your DDR4 memory. However, this serves as an important reminder to always abide by safe practices to minimize security risks. Nobody wants to deal with data theft and system hijacking.
…
Remember the basics: Don’t use unknown software, don’t click random links, and watch out for phishing emails with links. And make sure you’re never mislead to download fake versions of official software.
…
There are also some other things you can do to avoid the risk of Rowhammer attacks on DDR4. Consider the actual RAM you purchase. Go with a reputable vender, look for features like TRR (Target Row Refresh), or ECC (Error Correction Code).
ECC? Yeah, uhh, about that. As Zoa points out, Intel reserves ECC for servers, not PCs:
It stinks”
[This is] one of the most infuriating examples of Intel’s artificial feature segmentation. … Basic single-bit ECC … adds minimal cost to memory, and allowing a chip to merely support it costs essentially nothing. Memory errors are a huge pain to deal with and most people will never even know they’ve had one, they’ll just experience a crash or subtle data corruption they only notice years later or whatever and chalk it up to the unknowable mysteries of computers.
…
As memory capacities even on the low end moved firmly into gigabytes, basic ECC should have been standard everywhere. … It’s impossible to calculate how much it’s cost the world across billions of devices over many years, but it stinks.
One of the many happy things about AMD coming roaring back has been the end of this bull**** in their lineups. Their chips support ECC, the same amounts, bandwidth, features, etc. The differences are the straightforward and reasonable ones driven by the necessity of cost and binning.
And ctilsie242 joins the chorus:
Catastrophic”
I’m surprised ECC RAM isn’t everywhere. We have ECC on our SSDs and hard disks, why not something as critical as RAM, where a bit flip can potentially cause catastrophic results?
Wait. Pause. Is ECC really a magic bullet? stormcrow simply scoffs:
Sorely mistaken”
Rowhammer is not stopped by ECC. [So] it stands to reason variations on the theme won’t be stopped by ECC either. That’s because ECC only works on single bit errors.
It’s designed to stop low rate accidental bit flips by the random fluctuations of hardware errors and the occasional cosmic ray. [But it] will not stop the intentional flipping of many bits at once induced by Rowhammer. … If you think ECC setups will entirely protect you from Rowhammer, you’re sorely mistaken.
So what will? Dwedit has a germ of an idea:
Perhaps it’s time”
Memory access patterns done by a normal program, and memory access patterns done by a Rowhammer program look completely different. … Perhaps it’s time to add some slowdown at the memory controller level if a program is using the RAM like Rowhammer rather than a normal program.
Meanwhile, a slightly sarcastic skuttr seeks a variant of concern: [You’re fired—Ed.]
Random mutations”
I just don’t understand why anyone would want ECC. Bit flips lead to random mutations of our software. Without these random mutations, how is our software ever supposed to evolve?
And Finally:
Scott Dixon’s car vs. Lewis Hamilton’s
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Ella Alpert (via Unsplash)
