DDR4 found to be vulnerable to Rowhammer attacks

[Nowak]

Sauce: http://arstechnica.com/security/2016/03/once-thought-safe-ddr4-memory-shown-to-be-vulnerable-to-rowhammer/

 

Quote

Physical weaknesses in memory chips that make computers and servers susceptible to hack attacks dubbed "Rowhammer" are more exploitable than previously thought and extend to DDR4 modules, not just DDR3, according to a recently published research paper.

For those of you wonder what Rowhammer can do, it can give an attacker super user privileges through bit-flipping attacks (changing 0s to 1s and vice versa for malicious purposes) in the RAM itself. According to new research, DDR3 and DDR4 are both affected by this vulnerability. However,

 

Quote

Mark Lanteigne, Third I/O CTO and founder, told Ars there's no immediate danger of Rowhammer being exploited maliciously to hijack the security of computers that use the vulnerable memory chips. Still, he said his assessment presents a significantly less comforting picture than those painted by Samsung, Micron, and other DDR manufacturers. Samsung, he said, has largely declared its DDR4 product line to be "Rowhammer free" because of technology it calls TRR, or targeted row refresh, which makes chips better able to withstand large numbers of malicious accesses that come in rapid succession during the attack. Micron, meanwhile, has also praised the benefits of TRR in its DDR4 products.

Whether or not this lack of immediate danger to users is true has yet to be seen, but all the same tests that were done on DDR3 could be reproduced on DDR4 modules as well. However, common RAM manufacturers like Samsung and Micron do seem pretty confident that their targeted row refresh technology will prevent such attacks.

 

What do you think of this? This seems like it could be a pretty bad thing for users' security, as it attacks the bits in the RAM itself to gain super user access, something that most end users will not pick up upon right away. However, I've yet to see anything come out of it aside from proof of concept attacks.  Do you think it'll be exploited?

[DXMember]

I am fairly certain they found it to be vulnerable to rowhammer like in the 2014... and that they already fixed it one with bios updates

[Nowak]

2 minutes ago, DXMember said:

I am fairly certain they found it to be vulnerable to rowhammer like in the 2014... and that they already fixed it one with bios updates

Paper the article is sourced from was published this month. Still vulnerable, it seems.

[DXMember]

Just now, Daring said:

Paper the article is sourced from was published this month.

cool,

also DDR4 standard by JEDEC does not include TTR for row hammer prevention

Page 29: http://www.memcon.com/pdfs/proceedings2015/SAT104_FuturePlus.pdf

Page 4: http://ddrdetective.com/files/6414/1036/5710/The_Known_Failure_Mechanism_in_DDR3_memory_referred_to_as_Row_Hammer.pdf

Paragraph 5: http://semiengineering.com/will-there-be-a-ddr5/

http://www.eurosoft-uk.com/eurosoft-test-bulletin-testing-row-hammer/

http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

http://techreport.com/blog/27936/rowhammer-attack-exploits-shrinking-process-size-in-dram

 

It's been a very well known and documented knowledge for a very long time

 

the original paper has a first reference to this paper:

https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf (also mentions it to be the original work)

on Section 9 of that paper in Related work it mentions row hammer attack to be exploited on DDR4 as early as 2013.

 

Either you or the ArsTechnica is misinterpreting the paper...

It's more about how to elevate privileges and gain control of the machine exploiting an already known issue rather than finding a new vulnerability.

Both have been done before and are linked both above in my post and below in the paper ArsTechnica wrote their article around...

[Nowak]

Just now, DXMember said:

cool,

also DDR4 standard by JEDEC does not include TTR for row hammer prevention

Page 29: http://www.memcon.com/pdfs/proceedings2015/SAT104_FuturePlus.pdf

Page 4: http://ddrdetective.com/files/6414/1036/5710/The_Known_Failure_Mechanism_in_DDR3_memory_referred_to_as_Row_Hammer.pdf

Paragraph 5: http://semiengineering.com/will-there-be-a-ddr5/

http://www.eurosoft-uk.com/eurosoft-test-bulletin-testing-row-hammer/

http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

http://techreport.com/blog/27936/rowhammer-attack-exploits-shrinking-process-size-in-dram

 

It's been a very well known and documented knowledge for a very long time

 

the original paper has a first reference to this paper:

https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf (also mentions it to be the original work)

on Section 9 of that paper in Related work it mentions row hammer attack to be exploited on DDR4 as early as 2013.

 

Either you or the ArsTechnica is misinterpreting the paper...

It's more about how to elevate privileges and gain control of the machine exploiting an already known issue rather than finding a new vulnerability.

Both have been done before and are linked both above in my post and below in the paper ArsTechnica wrote their article around...

They said in the article that TRR is a Samsung thing. Not misinterpreting a thing.

[TetraSky]

So what I get from this is I should be afraid and that my next RAM purchase should be from Samsung, alright.

 

In any case, just like with any other hacks, the hacker would need access to your machine to begin with, so as long as you have Adblock, don't download/run anything you shouldn't, you should be safe...

[Nowak]

Just now, TetraSky said:

So what I get from this is I should be afraid and that my next RAM purchase should be from Samsung, alright.

 

In any case, just like with any other hacks, the hacker would need access to your machine to begin with, so as long as you have Adblock, don't download/run anything you shouldn't, you should be safe...

It can be done with Javascript used to deliver site content to a user, according to the article. And Samsung produces most of the world's RAM modules, so in most cases, you should theoretically be safe.

[DXMember]

4 minutes ago, Daring said:

They said in the article that TRR is a Samsung thing. Not misinterpreting a thing.

it's not only a Sumsung thing...

any DDR4 manufacturer is free to implement TRR

and it's not a part of JEDEC published standard for DDR4

and it's not like it's trivial to exploit the vulnerability either way

 

what I mean is this is a well documented and known for many years I don't see a reason for such a sensational title under news

[Nowak]

Just now, DXMember said:

it's not only a Sumsung thing...

any DDR4 manufacturer is free to implement TRR

and it's not a part of JEDEC published standard for DDR4

ok.

[DXMember]

54 minutes ago, TetraSky said:

So what I get from this is I should be afraid and that my next RAM purchase should be from Samsung, alright.

 

In any case, just like with any other hacks, the hacker would need access to your machine to begin with, so as long as you have Adblock, don't download/run anything you shouldn't, you should be safe...

a computer is only safe if it's not connected to the internet

[TetraSky]

3 minutes ago, DXMember said:

a computer is only safe if it's not connected to the internet

And then someone plugs an infected USB drive in it and suddenly you have a cryptolock.

[DXMember]

1 minute ago, TetraSky said:

And then someone plugs an infected USB drive in it and suddenly you have a cryptolock.

let me rephrase my sentence - a computer is only safe if it's not powered on

[MageTank]

Jokes on you hacker. My ram is so tweaked, it skirts on the edge of stability. Flip one bit incorrectly, and IMC is gonna choke. Can't hack what isn't stable.

 

In case it is not obvious, I am joking.