[HN Gopher] Google says Rowhammer attacks are gaining range as R...
___________________________________________________________________
Google says Rowhammer attacks are gaining range as RAM is getting
denser
Author : valprop1
Score : 165 points
Date : 2021-05-26 09:08 UTC (2 days ago)
(HTM) web link (therecord.media)
(TXT) w3m dump (therecord.media)
| notriddle wrote:
| In other words, blame Intel for trying to pass off ECC as a
| "Enterprise Feature" instead of the basic necessity that it is.
| hypertele-Xii wrote:
| ECC is vulnerable to Rowhammer.
| r00fus wrote:
| The same way that masks don't prevent COVID.
| th0ma5 wrote:
| Right in statistically mostly it does / they do.
| kortilla wrote:
| No, statistically it's almost useless to prevent yourself
| from getting COVID. It's mainly about reducing your
| ability to spread it.
|
| That's why people get mad when you don't wear a mask even
| if you "don't care about getting covid".
| th0ma5 wrote:
| Yes that was a prominent theory at one time and helped a
| lot of the public adopt masks but it is actually both
| https://www.npr.org/sections/health-
| shots/2020/11/11/9339038...
| josh2600 wrote:
| I mean the punchline is: if you heat something up enough then
| you can get electrons to wiggle. At some level of cell wall
| thickness, the cost/time/annoyance of triggering a rowhammer
| exceeds the value of the attack, and other methods become
| cheaper or more practical.
|
| Ultimately, nothing that an attacker has physical access to
| can be completely secured, we can only raise the cost in
| terms of time and money to attempt to breach the system. Even
| a system with tamper-destructive enclosures have seen attacks
| (it's just more expensive and difficult than other attacks).
|
| In short, the more annoying/expensive you can make it to
| attack your system, the smaller the set of attackers becomes.
| nwah1 wrote:
| Equally vulnerable?
| notriddle wrote:
| I saw this article linked later.
| https://www.vusec.net/projects/eccploit/
|
| It's interesting! It seems fixable, based on information
| later on in the article ("Can I get DDR3 DIMMs that are
| Rowhammer-free?"), and ECC only seems to be part of a
| solution, and not a complete solution.
|
| But you're still right, and I was still wrong: ECC alone
| isn't good enough.
| nullc wrote:
| Much less so.
| staticassertion wrote:
| Agreed. Rowhammer is just one more example of this, but it's
| frustrating that ECC is not widely deployed.
| creato wrote:
| DRAM manufacturers continue (knowingly at this point) to
| manufacture faulty products, and we should blame Intel?
| GekkePrutser wrote:
| They could include ECC but it wouldn't work on most systems
| so why would they bother?
|
| At least on AMD it works these days.
| nightfly wrote:
| How many times more expensive would DRAM that is immune to
| rowhammer cost?
| gugagore wrote:
| I am not familiar with DRAM spec sheets, but are
| manufacturers specifying that there will be zero errors?
|
| Without a specification that says so, I don't think it's
| necessarily the fault of the manufacturer if they cannot
| build perfect RAM!
|
| Suppose someone builds a car with one these computers in a
| safety-critical role, and then someone gets injured because
| of an error that "originated" with the RAM.
| rini17 wrote:
| They specify timing and when it is followed, RAM should
| work without fault.
|
| But if there are corner cases like this, they should be
| added to specs. Most likely it would require memory
| controller to remember last addresses and insert delays if
| rowhammer attempt is detected. And/or make CPU
| microoperation scheduler avoid it. No idea how expensive
| would that be, surely nontrivial.
| rocqua wrote:
| If my car's spec doesn't say "the wheels stay on" and then
| the wheels fall off, the car is still defective.
| notriddle wrote:
| Yes.
|
| Intel is an industry leader. EFI, Thunderbolt, and the
| "ultrabook" product category are all their ideas. By adding a
| feature to their CPU products, they induce demand for
| anything that complements it.
|
| By putting ECC support into their highest-end mobile CPUs
| only, they made them into high-end luxuries instead of
| industry standard. https://ark.intel.com/content/www/us/en/ar
| k/search/featurefi...
| sroussey wrote:
| That doesn't explain Apple and the M1 though.
| jolux wrote:
| The Ultrabook _brand_ was Intel 's idea but I'm pretty sure
| it was created to make sure that the Wintel ecosystem could
| stay competitive with the MacBook Air.
| vbezhenar wrote:
| Do you think many Ryzen PCs use ECC? I doubt that. It's
| accepted truth among gamers and power users, that ECC is waste
| of budget. I don't share this position, but if you'd ask on
| some computer forums, that's what you'll hear. If ECC would be
| enabled on all Intel CPUs, nothing fundamentally would change,
| most users would prefer to save 10% on their RAM.
| GekkePrutser wrote:
| I don't use it on mine, but my Ryzen PC is my gaming box..
| Where the impact from such things is very limited.
|
| But ECC RAM is a lot more than 10% more expensive. This is
| part of the problem. Intel pushes it into a high-end niche
| which puts it in a much more expensive category, and it also
| loses economy of scale.
| CobaltFire wrote:
| Article title is slightly misleading: by smaller they mean
| process size, increasing the range of the rowhammer attacks
| logically due to decreased distance between memory cells even
| though the physics limited distance is the same.
| mhh__ wrote:
| As opposed to what other interpretation of the word small?
| a1369209993 wrote:
| Small RAM: memory with (relatively) few bytes of storage.
| a1369209993 wrote:
| "Rowhammer attacks are gaining range as RAM is getting _denser_
| "?
| dang wrote:
| Ok, let's try that above. Thanks!
| campuscodi wrote:
| I'm the author of the article.
|
| With all due respect, but I will have to push back on your
| categorization as 'slightly misleading' here. Your explanation
| effectively explains the headline and is also what Google
| researchers said. How is the headline misleading?
| hughw wrote:
| Not intentionally misleading, of course. But I too first
| misinterpreted "RAM is getting smaller" as RAM that has
| smaller storage, which is counter to experience. But that's
| the size dimension I confront in everyday life, not the
| physical dimensions of the chip. I knew I must not be getting
| it, but I didn't think of the physical size until I read the
| article.
| dnautics wrote:
| Slightly confusing is better verbiage. I had to think for a
| sec (I have had cache memory on the mind, which is "smaller"
| than main memory).
| ma2rten wrote:
| When I initially read the headline I thought for a second
| that it meant storage capacity is getting smaller. But then I
| realized that that doesn't make sense and it's referring to
| process size.
| cortesoft wrote:
| Not sure how you could have read it that way... storage
| capacity is clearly not getting smaller.
| manquer wrote:
| I had similar thoughts as the parent, then your point
| came to my mind, next thing I thought was perhaps not
| storage capacity but maybe smaller form factor of the
| stick itself.
|
| Clearly I was wrong, but confusion can happen with just
| saying "smaller", many meanings are there for that word.
| singlow wrote:
| Definitely not misleading. Possibly easy to misunderstand? It
| did take me a second to realize what was meant.
| CobaltFire wrote:
| Misleading may have been the wrong word, though I will say I
| qualified it with slightly.
|
| The changed title is much more informative.
| comboy wrote:
| I also read it that way and the paper does not use that
| phrase. I'm not saying intentionally misleading, but clearly
| some people were mislead.
| manquer wrote:
| I don't think it is misleading entirely, however my first
| reaction was you meant smaller in storage capacity or
| physical size of stick this interpretation is not uncommon
| and can cause some confusion
| karmicthreat wrote:
| Is there any evidence of Rawhammer being used in a successful
| attack in the wild?
| kuschku wrote:
| Wasn't there a rowhammer based website for rooting android
| phones in the past?
| atatatat wrote:
| Is there any evidence it's not just a matter of time before
| there is?
| mhh__ wrote:
| Rowhammer, Spectre, etc. are all very high-information
| attacks which strike me as not worth the effort for run of
| the mill adversaries. Three-letter agencies, however, I
| suspect might have played around with them - if a cloud
| vendor is secure, and they need a way to un-secure it, they
| have the resources to get microarchitectural researchers
| sworn to secrecy to make these attacks work.
| karmicthreat wrote:
| Rowhammer has been known of for over 5 years.
| ygjb wrote:
| You don't need to have a practical attack for something to
| be a credible threat that needs to be addressed in a multi-
| tenant system (like say, cloud providers).
| babypuncher wrote:
| According to the article, no.
|
| What I want to know is if this works on ECC memory. I'm
| guessing not, which makes the "vulnerability" even more of a
| non-issue in mission-critical applications that likely moved to
| ECC a while ago.
| mhh__ wrote:
| Apparently it does but I haven't tested it myself
| campuscodi wrote:
| Yes, Rowhammer can bypass ECC. Forgot to include this in the
| article, mainly because there's so much Rowhammer research.
|
| See here: https://www.vusec.net/projects/eccploit/
| CalChris wrote:
| Can Rowhammer bypass ECC and not be detected by an
| _hw_event_mc_err_type_? I don 't think so. Why would
| someone have ECC without a sufficiently sophisticated
| driver?
| [deleted]
| a1369209993 wrote:
| > Can Rowhammer bypass ECC and not be detected by an
| hw_event_mc_err_type?
|
| It's definitely possible in theory. You'd need four bit
| flips rather than three, so you'd probably need more time
| between accesses to the victim row, but thats a
| quantitative improvement at best. This _can_ be mitigated
| by using different ECC bit encodings per memory
| location[0], so hammered data, with correct ECC for its
| row, always has wrong ECC values for the adjacent rows,
| but I don 't think anyone does that.
|
| 0: This is important in order to make fake ECC memory,
| which uses a (cheap) combinatoric circuit in place of a
| (more expensive) ninth DRAM chip, not work, so it
| _should_ be happening even without Rowhammer, but AFAIK
| it isn 't.
| chmod775 wrote:
| > Can Rowhammer bypass ECC and not be detected by an
| hw_event_mc_err_type?
|
| Afaik, yes it can (unless you're counting
| HW_EVENT_ERR_CORRECTED). They specifically try to get 1
| or 3 bit flips, never 2.
|
| See here: https://www.vusec.net/projects/eccploit/
|
| (yes, that's the same link)
| staticassertion wrote:
| It's really worth noting that ECC does impact Rowhammer
| effectiveness, even if it is not enough to prevent the
| attack 100% of the time.
| GekkePrutser wrote:
| But as part of this it'll also have a high chance of
| triggering a system shutdown due to ECC mismatch, right?
| So in most cases it can't be exploited for things other
| than DoS.
| staticassertion wrote:
| ECC won't necessarily shut the system down as it can
| actually repair single bit errors, and mismatches can be
| monitored for as well. But your point stands - for an
| attacker to do damage they'll likely end up flipping bits
| in unintended ways first.
| snapcaster wrote:
| Good question. what would the evidence be? memory errors? i
| wonder how easy to detect these would be
| Tempest1981 wrote:
| 32 more comments here:
|
| https://news.ycombinator.com/item?id=27278540
___________________________________________________________________
(page generated 2021-05-28 23:00 UTC)