back to article 3 is the magic number (of bits): Flip 'em at once and your ECC protection can be Rowhammer'd

Researchers in the Netherlands have confirmed that error-correcting code (ECC) protections can be thwarted to perform Rowhammer memory manipulation attacks. The Vrije Universiteit Amsterdam crew of Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos today said they have developed a viable method to precisely …

  1. Christian Berger

    The obvious message here is...

    ... don't run code you don't trust on your machine, even if it has ECC.

    Unfortunately Web designers still didn't seem to get the message.

    1. bombastic bob Silver badge
      Devil

      Re: The obvious message here is...

      doesn't rowhammer require really good knowledge of the kernel internals to make use of it, at least for bypassing security? You'd need to hammer permission bits, for example, to access things that are normally not accessible, and for that you'd need to know where the bits are located (etc.) as well as a good idea about the RAM architecture is set up. I'd say that ECC still (at least) makes that harder to do, though obviously NOT impossible, like the lock on your door just slows 'them' down if 'they' REALLY want to get in, but of course I'm not going to be leaving my door UNlocked any time soon...

      1. Christian Berger

        Re: The obvious message here is...

        Yeah, like many exploits this is hard. However that doesn't necessarily stop people from exploiting it.

  2. Gordan
    FAIL

    Bravo! *slow clap*

    "But if three bits could be changed simultaneously, ECC would not catch the modification."

    Wow! So they actually read up on how ECC memory that has been in used in servers for 30 years works! Are they hoping for some praise medals for participation?

    It must be a really slow day if this is news.

    1. Brewster's Angle Grinder Silver badge

      Re: Bravo! *slow clap*

      The researchers did come across as surprisingly ignorant about ECC. Still, it's news that you can successfully row-hammer it in practice.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Bravo! *slow clap*

      "It must be a really slow day if this is news."

      Where's your published paper on this, then, egghead? The point is showing that ECC can't stop Rowhammer attacks on adjacent RAM cells.

      Also: the Meltdown vuln was stunningly trivial to exploit, and was staring people in the face for years, and was rightly heralded as a major find. Sometimes the obvious has to be pointed out.

      C.

      1. Steve Knox
        Meh

        Re: Bravo! *slow clap*

        I've got to agree with the other commentards here. Wikipedia has the following sentence in the "Mitigation" section of its article on RowHammer (https://en.wikipedia.org/wiki/Row_hammer#Mitigation)

        Tests show that simple ECC solutions, providing single-error correction and double-error detection (SEC DED) capabilities, are not able to correct or detect all observed disturbance errors because some of them include more than two flipped bits per memory word.[1]:8[15]:32

        That particular sentence has been in place, unmodified, since March of 2015. And as for published papers, those are referenced in the original Wiki article.

        At best, these researchers can claim a repeatable demonstration of already known limitations of ECC under laboratory conditions.

        1. diodesign (Written by Reg staff) Silver badge

          "researchers can claim a repeatable demonstration"

          Yes, that's exactly what's happened - confirmation. It's a demonstration of the attack. Just as it's one thing to say some software has a heap overflow, and quite another to develop an exploit to reliably and usefully exploit the flaw to achieve code execution.

          To make everyone happy, I'll clarify it's a confirmation rather than a discovery.

          C.

          1. mevets
            Paris Hilton

            Re: "researchers can claim a repeatable demonstration"

            In defence of the OP, ( and to flog a dead horse), but in the original paper, Kim et. al. (978-1-4799-4394-4/14/$31.00 c 2014IEEE): Table 5 in section 6.3 shows up to 4 bit errors in a single word. This is called out as evidence that Single-Error-Correction-Double-Error-Detection is insufficient to mitigate this.

            The OP's 'duh, yeah' was quite correct, and the follow-up criticism was quite wrong. The article here is sadly lacking -- I don't think basic math counts as "theoretically", and the proclaimed realization was realized in the original paper, 4 years ago.

        2. Gordan

          Re: Bravo! *slow clap*

          Sure - rowhammer can be made to work - on certain hardware. I've yet to own a device on which it was reproducible using various test programs in 8 hours, and I doubt I'm that lucky. But if it can be made to flip 1 bit statistically in n seconds, then it follows that in n^2 seconds you should be able to flip 2 bits in the same row, and in n^3 seconds, flip 3 bits. But since we are into O(n^3) territory, I wouldn't lose sleep over it.

          1. diodesign (Written by Reg staff) Silver badge

            "I wouldn't lose sleep over it."

            Yeah, as we said, it's difficult to exploit. As seen with Meltdown and Spectre, it's easier to get someone to click on a link or run a fake Flash installer.

            C.

            1. amanfromMars 1 Silver badge

              Re: "I wouldn't lose sleep over it."

              Yeah, as we said, it's difficult to exploit. ... diodesign

              Difficult to Exploit, Nowadays with so much Virtual Machinery at our Disposal/Beck and Call?

              I Don't Think So, diodesign. And be Assured IT is Perilous in Abuse and Misuse for Rewarding Merciful Justice is the Quick Fix/Temporary Patch of Future Shenanigans.

              Present Prosecution Evidence ....

              Initially more a curiosity than something many people worried about, the research community quickly learned how to weaponize the bit flips and completely compromise (“pwn”) many types of machine: PCs, smartphones, VMs in the cloud, etc. .... https://www.vusec.net/projects/eccploit/

              And when SMARTR Weaponised, VMs in CHAOS ..... Clouds Hosting Advanced Operating Systems in Live Operational Virtual Environments.

              Such is Easily Imagined Invincible and AlMighty. Protection against that is Vital for when Virile Viral is Unstoppable and Insatiably Curious.

              A Little SomeThing for Virtual AIdVenture Channeling, El Reg. ..... Virgin Birth and Forward Presentation.

              :-) Nothing to lose sleep over there, El Reg. Suddenly wider awake is infinitely more agreeable.:-)

  3. OrneryRedGuy

    They're not knocking ECC

    Perhaps the article is taking the wrong slant. Everybody knows (or should) what ECC's limitations are. These guys are saying they've figured out a way to (eventually) breach those limitations. It would involve digging into their paper (can't be arsed) to see if this technique could be used to identify memory locations that are vulnerable, AND worthy of exploit (are you flipping bits in a sys call table, or in a bitmapped image), AND can be successfully changed by a precise number of bits to a much more desirable value, from the attacker's point of view.

    It sounds like you could, after a week or so, achieve some minor data corruption. If you're really lucky, that corruption might cause another process to die. Super lucky, you might get a kernel panic. Super one-in-a-1-with-many-zeros-after-it chance lucky, you might be able to use it to run malicious code or gain permissions.

    Personally, I would think the odds are significantly higher that the whole computer would be stolen in an Oceans' 11-style robbery. Or obliterated by a meteorite.

    1. diodesign (Written by Reg staff) Silver badge

      Re: They're not knocking ECC

      No one's saying ECC is bad - not us, not the researchers, pretty much no one - it's just that if you thought ECC would stop Rowhammer, you're sadly mistaken.

      As we wrote in the article:

      "The boffins said that their findings should not be taken as a condemnation of ECC either. Rather, it should show admins and security professionals that ECC is just one of several protection layers they should use..."

      C.

      1. Loud Speaker

        Re: They're not knocking ECC

        Anyone who understands ECC and the the maths behind it would know this is part of the spec*. Anyone who does not, probably ought not to be publishing academic papers on the subject.

        Many years ago (when 6502's were popular), I worked on a project where we were instructed NOT to correct the bits anyway, because larger numbers of erroneous bits might be falsely corrected and not reported. (This was not in the context of computer memory).

        I first read about ECC in the 1960's, and the technology dates back to the 1940's or possibly earlier. This is not news, merely evidence that standards of education have been on the decline for a very long time.

        * It is perfectly possible to specify ECC such that the number of incorrect bits that can be detected is higher. However, it might be harder to get anyone to pay for it.

    2. bombastic bob Silver badge
      Devil

      Re: They're not knocking ECC

      "I would think the odds are significantly higher that the whole computer would be stolen"

      As a matter of fact...

      At a used-to-company, miscreants threw a heavy object through the front window of the office building, ran in, cut cables with wire cutters, grabbed the CPU boxen, and took off with the alarm blaring.

      Then they did it again 2-3 weeks later, after the company got "all new computers". [I did the majority of the work from home and therefore had plenty of backups for my stuff and related projects].

      Snatch-n-grab using low tech "steal a manhole cover and throw it through the window" and "cut all of the cables with wire cutters and run with the CPU boxen" is difficult to stop, but you CAN slow them down by using these lock & cable things [which I recommended after the 2nd theft, and bought some for myself].

      That being said, thieves and miscreants will ALWAYS come up with a brute force and/or low tech way of defeating the highest tech security that you can possibly think up, like chaining up an ATM machine to a stolen towtruck and yanking it out of the bank office's wall.

      The best security plan is to make sure that you slow them down as much as possible so that you're no longer "an easy mark".

      ECC RAM apparently slows them down.

      1. Danny 14

        Re: They're not knocking ECC

        it also doesnt say what happens if you run extra ECC such as dell advanced ECC mode. That is in addition to the chip ECC themselves.

  4. DrBandwidth

    clever, but easy to detect

    The trick of testing one bit at a time until you find three bits that are susceptible is clever, but the approach is risky (i.e., if only 2 of the 3 bits flip, you get an uncorrectable error that leaves lots of log information behind), and it is also easy to protect against. Every processor that I know of that supports ECC also supports a counter that measures corrected single-bit errors. We monitor these correctable error rates so we can replace error-prone DIMMs, which means that we also pay attention to who and what was running on the node when the corrected error rate increased. This monitoring could be automated, but that is not necessary -- having humans reviewing this data means that there is a decent chance that the attacker will get caught and locked out of the system. (This usually means that someone has hacked an authorized user's account, but occasionally an authorized user gets stupid....)

    1. OrneryRedGuy

      Re: clever, but easy to detect

      The significance of the paper, then, would be to warn people what to look for.

      1. Danny 14

        Re: clever, but easy to detect

        even cheap dell poweredge servers will automatically mark ram as potentially bad if they hit x error rate. if you have enterprise drac then it will independently mail you to, good for the small guys.

  5. LeahroyNake

    Seriously

    If you have malware running on your system that is capable of using this attack :O You have bigger issues to worry about.

    ECC stands for Error Correction Code or at least it used to. It was designed to correct hardware memory issues when 2048k was considered large. Not to deal with what seen like addressing issues exploited by malware that has much easier avenues of attack/ spoof a UAC prompt.

    1. Anonymous Coward
      Anonymous Coward

      You are thinking far too narrowly

      Who says it is malware? If you are a cloud provider you have legitimate customers running whatever the hell they please. Are you going to be able to tell if they're trying to exploit rowhammer?

      If it takes a week to manage the triple bit attack the attacker will be patient, because when they succeed they'll have access to the hypervisor and thus the VMs used by all the other customers on that particular server. Though it is quite possible they might gain access to far more, i.e. if they can access SSH keys either in the filesystem or in memory. Plus they'll have a foothold inside the cloud provider's network.

      1. bombastic bob Silver badge
        Meh

        Re: You are thinking far too narrowly

        how easy would it be to discover enough about the VM host that you could predict how a rowhammer would affect your ability to "do something useful" to it? Unless, of course, you're just trying to be disruptive...

        1. amanfromMars 1 Silver badge

          Re: As Easy as Pi

          how easy would it be to discover enough about the VM host that you could predict how a rowhammer would affect your ability to "do something useful" to it? Unless, of course, you're just trying to be disruptive... .... bombastic bob

          Now that discovery is One AlMighty Weapon and Heavenly Tool. What say you, bb?

          Are you in Systems AIMaster Pilots .. Special Access Programs .....Routinely Base 0Day Examined with Autonomous Self Programming Beta Testing so "to do something useful" is Always Available, for IT is Enabling and can far too easily Lead to Sorry Insane Madness and Despicable Devout Despair.

          It is a very strange, self destructive route to venture down whenever the Yin to that Yang is Out of This World Joy at New AI Programmer Beginnings with Openings for Live Operational Virtual Environments

          with NEUKlearer HyperRadioProACTive Space Forces and Sources at Greater IntelAIgent Games Play.

          Anything not there leading anyone to a misunderstanding?

          Best Raise a Red Flag here for MI5. SOI .... Greater IntelAIgent Games Play with the Advantage of Hedged Edges Being Primed to Deliver Excess Success ..... an AlMighty Bounty Indeed in Deed.

          Nothing to see here, El Regers. Move on please. All the reactive proaction to be realised is now centred with others elsewhere whilst they decide their next very smart move, ideally.

          What else is Happened Today that Tomorrow will Tell as a Yesterday to be Fondly Remembered and Revered or Quickly Forgotten in Files Found Unmemorable? And will IT Change the Present to SomeThing Altogether Radically Different for Displays on Tomorrows News Screens with Alternate AIMedia Platforms Penetrations Testing Current News Cycle Recycling Programs and Protocols.

          Taking them for a Test Run and Engaging Flight. That Really is Best Not Kept a Closed Top Secret Secret when the Freeing of Truth Delivers All Treasures both Fair and Spoiled/Good and Bad/Rad and Mad to Every Believer and Immaculate Disciple/Student Professor.

        2. Anonymous Coward
          Anonymous Coward

          @bombastic bob

          There are only a handful of viable VM technologies they could possibly use. You've got ESX, Hyper-V, and Xen, that's about it. The type of attack you'd use against each would be different, but you could try all three - though realistically it probably isn't hard to figure out what technology a particular cloud provider uses. Just check their job listings and see what skills they are looking for.

  6. 0laf
    Boffin

    Interesting but not for the majority to worry about

    Although these types of vulneabilities are interesting I suspect the majorty of us will soon go back to the day job of worrying about users clicking on links in badly spelled emails with invoices for products they've never ordered.

  7. imanidiot Silver badge

    What? No Monty Python and the holy grail references?

    I am disappointed El Reg. Deeply dissappointed.

    Then shalt thou count to three, no more, no less. Three shall be the number thou shalt count, and the number of the counting shall be three. Four shalt thou not count, neither count thou two, excepting that thou then proceed to three. Five is right out. Once the number three, being the third number, be reached,thy shalt flip the bits of thyne foe, , who, being naught in My sight, shall offer thee all in his land.

  8. ea49c395e4ec4dcbc6b1d3a3abb6d05af97897b8
    Pint

    Something for the weekend ...

    I wish I had the time to muck around looking for stuff like this - clever stuff.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like