(row)Hammer Time!

[Ken g6]

Ars Technica has an article about progress on rowhammer attacks.

In one of more impressive hacks in recent memory[ed:HA!], researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux.

Last week, researchers demonstrated what's likely the most practical exploit method yet. In a paper titled A New Approach for Rowhammer Attacks, they said already-installed code containing non-temporal instructions can be used to carry out bitflipping attacks that take over the computer or cause it to stop working.

I ran a recent version of memtest on my new Skylake with DDR4. I think it passed that rowhammer test. How worried should I be about my computer being hackable this way?

 

[Elixer]

It is extremely difficult to get it right, so, while not 100% safe, more like 99.9% that nobody will bother to 'hack' this way except to cause mischief.

 

[TheRyuu]

Before anybody brings up EEC please note that EEC (SECDED) is not an effective mitigation[1] for row hammer.

I wouldn't worry about it yet. You can check to see if your DDR4 memory/motherboard (is mobo support required?) support the TRR instruction which provides additional mitigation against row hammer without the negative performance impact of faster refresh intervals.

[1] https://en.wikipedia.org/wiki/Row_hammer#Mitigation

 

[Elixer]

Well, crap, seems this is even more serious than what most everyone thought.
On the plus side, it seems that it is now possible to root pretty much anything, which is good news for those devices that have never seen an update.


BTW, since this is pretty darn serious, they only got $4K from Google from finding this?
Should have been more like $40K.

*Edit, this has me thinking, AMD might just be sitting on a goldmine, with Zen, and the memory encryption it will have. See http://amd-dev.wpengine.netdna-cdn....MD_Memory_Encryption_Whitepaper_v7-Public.pdf for more info on SEV.

Researchers have devised an attack that gains unfettered "root" access to a large number of Android phones by exploiting a relatively new type of bug that allows adversaries to manipulate data stored in memory chips.

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit dubbed Rowhammer can have malicious and far-reaching effects on a much wider base of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren't reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. Now, an international team of academic researchers is challenging those assumptions by demonstrating a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers. An app containing the researchers' rooting exploit requires no user permissions and doesn't rely on any vulnerability in Android to work.

http://arstechnica.com/security/201...tflips-to-root-android-phones-is-now-a-thing/