[HN Gopher] Google says Rowhammer attacks are gaining range as R... ___________________________________________________________________ Google says Rowhammer attacks are gaining range as RAM is getting denser Author : valprop1 Score : 165 points Date : 2021-05-26 09:08 UTC (2 days ago) (HTM) web link (therecord.media) (TXT) w3m dump (therecord.media) | notriddle wrote: | In other words, blame Intel for trying to pass off ECC as a | "Enterprise Feature" instead of the basic necessity that it is. | hypertele-Xii wrote: | ECC is vulnerable to Rowhammer. | r00fus wrote: | The same way that masks don't prevent COVID. | th0ma5 wrote: | Right in statistically mostly it does / they do. | kortilla wrote: | No, statistically it's almost useless to prevent yourself | from getting COVID. It's mainly about reducing your | ability to spread it. | | That's why people get mad when you don't wear a mask even | if you "don't care about getting covid". | th0ma5 wrote: | Yes that was a prominent theory at one time and helped a | lot of the public adopt masks but it is actually both | https://www.npr.org/sections/health- | shots/2020/11/11/9339038... | josh2600 wrote: | I mean the punchline is: if you heat something up enough then | you can get electrons to wiggle. At some level of cell wall | thickness, the cost/time/annoyance of triggering a rowhammer | exceeds the value of the attack, and other methods become | cheaper or more practical. | | Ultimately, nothing that an attacker has physical access to | can be completely secured, we can only raise the cost in | terms of time and money to attempt to breach the system. Even | a system with tamper-destructive enclosures have seen attacks | (it's just more expensive and difficult than other attacks). | | In short, the more annoying/expensive you can make it to | attack your system, the smaller the set of attackers becomes. | nwah1 wrote: | Equally vulnerable? | notriddle wrote: | I saw this article linked later. | https://www.vusec.net/projects/eccploit/ | | It's interesting! It seems fixable, based on information | later on in the article ("Can I get DDR3 DIMMs that are | Rowhammer-free?"), and ECC only seems to be part of a | solution, and not a complete solution. | | But you're still right, and I was still wrong: ECC alone | isn't good enough. | nullc wrote: | Much less so. | staticassertion wrote: | Agreed. Rowhammer is just one more example of this, but it's | frustrating that ECC is not widely deployed. | creato wrote: | DRAM manufacturers continue (knowingly at this point) to | manufacture faulty products, and we should blame Intel? | GekkePrutser wrote: | They could include ECC but it wouldn't work on most systems | so why would they bother? | | At least on AMD it works these days. | nightfly wrote: | How many times more expensive would DRAM that is immune to | rowhammer cost? | gugagore wrote: | I am not familiar with DRAM spec sheets, but are | manufacturers specifying that there will be zero errors? | | Without a specification that says so, I don't think it's | necessarily the fault of the manufacturer if they cannot | build perfect RAM! | | Suppose someone builds a car with one these computers in a | safety-critical role, and then someone gets injured because | of an error that "originated" with the RAM. | rini17 wrote: | They specify timing and when it is followed, RAM should | work without fault. | | But if there are corner cases like this, they should be | added to specs. Most likely it would require memory | controller to remember last addresses and insert delays if | rowhammer attempt is detected. And/or make CPU | microoperation scheduler avoid it. No idea how expensive | would that be, surely nontrivial. | rocqua wrote: | If my car's spec doesn't say "the wheels stay on" and then | the wheels fall off, the car is still defective. | notriddle wrote: | Yes. | | Intel is an industry leader. EFI, Thunderbolt, and the | "ultrabook" product category are all their ideas. By adding a | feature to their CPU products, they induce demand for | anything that complements it. | | By putting ECC support into their highest-end mobile CPUs | only, they made them into high-end luxuries instead of | industry standard. https://ark.intel.com/content/www/us/en/ar | k/search/featurefi... | sroussey wrote: | That doesn't explain Apple and the M1 though. | jolux wrote: | The Ultrabook _brand_ was Intel 's idea but I'm pretty sure | it was created to make sure that the Wintel ecosystem could | stay competitive with the MacBook Air. | vbezhenar wrote: | Do you think many Ryzen PCs use ECC? I doubt that. It's | accepted truth among gamers and power users, that ECC is waste | of budget. I don't share this position, but if you'd ask on | some computer forums, that's what you'll hear. If ECC would be | enabled on all Intel CPUs, nothing fundamentally would change, | most users would prefer to save 10% on their RAM. | GekkePrutser wrote: | I don't use it on mine, but my Ryzen PC is my gaming box.. | Where the impact from such things is very limited. | | But ECC RAM is a lot more than 10% more expensive. This is | part of the problem. Intel pushes it into a high-end niche | which puts it in a much more expensive category, and it also | loses economy of scale. | CobaltFire wrote: | Article title is slightly misleading: by smaller they mean | process size, increasing the range of the rowhammer attacks | logically due to decreased distance between memory cells even | though the physics limited distance is the same. | mhh__ wrote: | As opposed to what other interpretation of the word small? | a1369209993 wrote: | Small RAM: memory with (relatively) few bytes of storage. | a1369209993 wrote: | "Rowhammer attacks are gaining range as RAM is getting _denser_ | "? | dang wrote: | Ok, let's try that above. Thanks! | campuscodi wrote: | I'm the author of the article. | | With all due respect, but I will have to push back on your | categorization as 'slightly misleading' here. Your explanation | effectively explains the headline and is also what Google | researchers said. How is the headline misleading? | hughw wrote: | Not intentionally misleading, of course. But I too first | misinterpreted "RAM is getting smaller" as RAM that has | smaller storage, which is counter to experience. But that's | the size dimension I confront in everyday life, not the | physical dimensions of the chip. I knew I must not be getting | it, but I didn't think of the physical size until I read the | article. | dnautics wrote: | Slightly confusing is better verbiage. I had to think for a | sec (I have had cache memory on the mind, which is "smaller" | than main memory). | ma2rten wrote: | When I initially read the headline I thought for a second | that it meant storage capacity is getting smaller. But then I | realized that that doesn't make sense and it's referring to | process size. | cortesoft wrote: | Not sure how you could have read it that way... storage | capacity is clearly not getting smaller. | manquer wrote: | I had similar thoughts as the parent, then your point | came to my mind, next thing I thought was perhaps not | storage capacity but maybe smaller form factor of the | stick itself. | | Clearly I was wrong, but confusion can happen with just | saying "smaller", many meanings are there for that word. | singlow wrote: | Definitely not misleading. Possibly easy to misunderstand? It | did take me a second to realize what was meant. | CobaltFire wrote: | Misleading may have been the wrong word, though I will say I | qualified it with slightly. | | The changed title is much more informative. | comboy wrote: | I also read it that way and the paper does not use that | phrase. I'm not saying intentionally misleading, but clearly | some people were mislead. | manquer wrote: | I don't think it is misleading entirely, however my first | reaction was you meant smaller in storage capacity or | physical size of stick this interpretation is not uncommon | and can cause some confusion | karmicthreat wrote: | Is there any evidence of Rawhammer being used in a successful | attack in the wild? | kuschku wrote: | Wasn't there a rowhammer based website for rooting android | phones in the past? | atatatat wrote: | Is there any evidence it's not just a matter of time before | there is? | mhh__ wrote: | Rowhammer, Spectre, etc. are all very high-information | attacks which strike me as not worth the effort for run of | the mill adversaries. Three-letter agencies, however, I | suspect might have played around with them - if a cloud | vendor is secure, and they need a way to un-secure it, they | have the resources to get microarchitectural researchers | sworn to secrecy to make these attacks work. | karmicthreat wrote: | Rowhammer has been known of for over 5 years. | ygjb wrote: | You don't need to have a practical attack for something to | be a credible threat that needs to be addressed in a multi- | tenant system (like say, cloud providers). | babypuncher wrote: | According to the article, no. | | What I want to know is if this works on ECC memory. I'm | guessing not, which makes the "vulnerability" even more of a | non-issue in mission-critical applications that likely moved to | ECC a while ago. | mhh__ wrote: | Apparently it does but I haven't tested it myself | campuscodi wrote: | Yes, Rowhammer can bypass ECC. Forgot to include this in the | article, mainly because there's so much Rowhammer research. | | See here: https://www.vusec.net/projects/eccploit/ | CalChris wrote: | Can Rowhammer bypass ECC and not be detected by an | _hw_event_mc_err_type_? I don 't think so. Why would | someone have ECC without a sufficiently sophisticated | driver? | [deleted] | a1369209993 wrote: | > Can Rowhammer bypass ECC and not be detected by an | hw_event_mc_err_type? | | It's definitely possible in theory. You'd need four bit | flips rather than three, so you'd probably need more time | between accesses to the victim row, but thats a | quantitative improvement at best. This _can_ be mitigated | by using different ECC bit encodings per memory | location[0], so hammered data, with correct ECC for its | row, always has wrong ECC values for the adjacent rows, | but I don 't think anyone does that. | | 0: This is important in order to make fake ECC memory, | which uses a (cheap) combinatoric circuit in place of a | (more expensive) ninth DRAM chip, not work, so it | _should_ be happening even without Rowhammer, but AFAIK | it isn 't. | chmod775 wrote: | > Can Rowhammer bypass ECC and not be detected by an | hw_event_mc_err_type? | | Afaik, yes it can (unless you're counting | HW_EVENT_ERR_CORRECTED). They specifically try to get 1 | or 3 bit flips, never 2. | | See here: https://www.vusec.net/projects/eccploit/ | | (yes, that's the same link) | staticassertion wrote: | It's really worth noting that ECC does impact Rowhammer | effectiveness, even if it is not enough to prevent the | attack 100% of the time. | GekkePrutser wrote: | But as part of this it'll also have a high chance of | triggering a system shutdown due to ECC mismatch, right? | So in most cases it can't be exploited for things other | than DoS. | staticassertion wrote: | ECC won't necessarily shut the system down as it can | actually repair single bit errors, and mismatches can be | monitored for as well. But your point stands - for an | attacker to do damage they'll likely end up flipping bits | in unintended ways first. | snapcaster wrote: | Good question. what would the evidence be? memory errors? i | wonder how easy to detect these would be | Tempest1981 wrote: | 32 more comments here: | | https://news.ycombinator.com/item?id=27278540 ___________________________________________________________________ (page generated 2021-05-28 23:00 UTC)