Rambleed - Think RAM is safe? Nope

[Sauron]

A recent paper published by researchers of the university of Michigan demonstrates a possible use of the Rowhammer DRAM vulnerability to launch a side channel attack. The researchers call this exploit "Rambleed". The attack relies on reading Rowhammer induced bit flips in the memory to extrapolate neighboring values.

Quote

RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.

RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well.

The dedicated website offers a fairly detailed FAQ but the most important information would be how to defend yourself from this attack:

Quote

How can I mitigate this issue?

Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have been demonstrated on TRR, it is harder to accomplish in practice.

Memory manufacturers can help mitigate this issue by more rigorously testing for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR implementations will facilitate a stronger development process as security researchers probe such implementations for weaknesses.

Note that, unlike with "vanilla" Rowhammer, using ECC memory is not an effective mitigation on its own:

Quote

Does ECC (Error Correcting Code) memory prevent RAMBleed?

No! RAMBleed uses bit flips as a read side channel, and as such does not require bit flips to be persistent. Instead, the attacker merely needs to know that a bit flip occurred; the secret information leaks regardless of whether or not ECC corrects the flip.

If ECC corrects the flip, how can the attacker determine whether or not a bit has flipped in her memory? The attacker can read her memory and use the ECC timing side channel to determine if the bit flipped.

It is currently unknown whether this attack or even just Rowhammer has ever been exploited in the wild but if you work with extremely sensitive data upgrading to TRR memory may be worth it. This exploit IS theoretically viable over the internet and was used in the paper to extract a private SSH key from the "victim".

 

This looks like something manufacturers will have to take into consideration with DDR5; for the average user it may be premature to panic but this could lead to some quite nasty security breaches.

 

-addition-

as per the paper, this has been disclosed to major players and currently has a CVE id

Quote

Following the practice of responsible disclosure, we have notified Intel, AMD, OpenSSH, Microsoft, Apple, and RedHat about our findings. The results contained in this paper (and in particular our memory massaging technique) were assigned CVE-2019-0174 by Intel.

 

[Jito463]

2 minutes ago, Sauron said:

It is currently unknown whether this attack or even just Rowhammer has ever been exploited in the wild

2 minutes ago, Sauron said:

for the average user it may be premature to panic

Next day news headlines:

Computer Memory Allows Hackers To Read Your Passwords!

[exetras]

Here is the explanation from RedHat: https://access.redhat.com/articles/1377393

 

[BigDamn]

Never heard of TRR before. Is this something common in consumer ram?

[Sauron]

9 minutes ago, BigDamn said:

Never heard of TRR before. Is this something common in consumer ram?

Good question - it's hard to say because manufacturers don't usually list it as a feature. Samsung and Micron have announced in the past that their memory supports it but as far as I know there isn't a comprehensive list of what sticks do or don't support it. You'd have to contact the manufacturer directly to ask.

[dfsdfgfkjsefoiqzemnd]

I guess my next build will have no RAM then.

 

Oh, and no CPU, to avoid the speculative execution stuff.

And no motherboard or storage, in case 3-letter agencies decide to install something in the firmware. 

 

At least I'll have plenty of room inside my case for RGB strips. 

[2FA]

7 minutes ago, BigDamn said:

Never heard of TRR before. Is this something common in consumer ram?

It's not a JEDEC requirement per se but some manufacturers implement it, Micron I'm pretty sure does.

[Sauron]

4 minutes ago, Captain Chaos said:

Oh, and no CPU, to avoid the speculative execution stuff.

And no motherboard or storage, in case 3-letter agencies decide to install something in the firmware.

*clears throat*

 

RISC-V

Spoiler

 

[Mira Yurizaki]

11 minutes ago, Captain Chaos said:

I guess my next build will have no RAM then.

 

Oh, and no CPU, to avoid the speculative execution stuff.

And no motherboard or storage, in case 3-letter agencies decide to install something in the firmware. 

 

At least I'll have plenty of room inside my case for RGB strips. 

At least GPUs are safe.

 

Goddammit nevermind.

[rcmaehl]

[justpoet]

Another writeup about this, that should be pretty easy for most to follow.

https://www.bleepingcomputer.com/news/security/rambleed-attack-can-steal-sensitive-data-from-computer-memory/

[Zodiark1593]

7 hours ago, Sauron said:

 

It is currently unknown whether this attack or even just Rowhammer has ever been exploited in the wild but if you work with extremely sensitive data upgrading to TRR memory may be worth it. This exploit IS theoretically viable over the internet and was used in the paper to extract a private SSH key from the "victim".

 

 

So, uhh, what are my options again to mitigate this if my PC won't take DDR4? (because Haswell).

[justpoet]

4 minutes ago, Zodiark1593 said:

So, uhh, what are my options again to mitigate this if my PC won't take DDR4? (because Haswell).

ECC would be about the best you could do if both your specific Haswell and the motherboard support it.

[Guest]

I feel like posting a google drive link to all my data just to get it over with lol.

[RejZoR]

10 hours ago, Sauron said:

*clears throat*

 

RISC-V

  Reveal hidden contents

 

Why the hell would anyone use that? It has "risk" in its name ffs...

[Kisai]

3 hours ago, justpoet said:

ECC would be about the best you could do if both your specific Haswell and the motherboard support it.

Which requires a Xeon V3 . ECC support has never been supported on any desktop CPU during the Core series. 

 

You can get Xeon-D's for ECC for budget systems, but that's basically not an option for gamers. If you want ECC and want to game, you have to get Workstation board to get ECC.

 

[Sauron]

4 hours ago, Zodiark1593 said:

So, uhh, what are my options again to mitigate this if my PC won't take DDR4? (because Haswell).

Upgrade to Ryzen 3k or don't worry about it, this isn't very easy to exploit and we don't know of any actual attempts of doing so in the wild.

4 hours ago, justpoet said:

ECC would be about the best you could do if both your specific Haswell and the motherboard support it.

As I mentioned ECC doesn't really help against this so even if they could upgrade to that it would be a waste of money.

[Loote]

So... could a fake ad with javascript code use this to read, say, our mail cookies and take control of our address?

How hard would it be for an attacker if he can make some unknown guy run his code, but does not know anything about such person?

Do you think VPSes will be susceptible to it? I mean, you often get assigned 8 GB of RAM, so it could be a continuous 8GB, which would limit access to your data, or it doesn't matter at all?

[Sauron]

2 minutes ago, Loote said:

So... could a fake ad with javascript code use this to read, say, our mail cookies and take control of our address?

In theory, yes. In practice it's highly unlikely.

2 minutes ago, Loote said:

How hard would it be for an attacker if he can make some unknown guy run his code, but does not know anything about such person?

If you willingly run native code it would be difficult but quite feasible.

3 minutes ago, Loote said:

Do you think VPSes will be susceptible to it? I mean, you often get assigned 8 GB of RAM, so it could be a continuous 8GB, which would limit access to your data, or it doesn't matter at all?

Red Hat says hypervisors don't help so a VPS would also be vulnerable.

[captain_to_fire]

Quote

Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled.

So press F to all PCs with DDR3 and below? 

[Sauron]

2 hours ago, captain_to_fire said:

So press F to all PCs with DDR3 and below? 

DDR2 and DDR are not affected by Rowhammer.

 

But yes, DDR3 systems have no way of defending themselves against this. As I said it's probably not a huge deal for the average user but still.

[Arika]

Page file master race

[Sauron]

3 minutes ago, Arika S said:

Page file master race

they'll come after your cpu cache next!

[CTR640]

This is what you'll get when you're downloading RAM.

[Blze001]

42 minutes ago, CTR640 said:

This is what you'll get when you're downloading RAM.

But how else am I supposed to speed up my system?