Seems its realatively easy to counter for Ivy Bridge and forward:
No, not really. From the blog you cite:
"Mitigations and Fix:
This vulnerability exists within hardware and cannot be mitigated by just upgrading software."
It's a DRAM scaling issue not really a CPU bug. There are workarounds to the bug if are so inclined.
Actually it's both, and as already stated this is a hardware issue that can't be fixed easily via software. As the original paper stated, only 30% of corporations patch computers for security vulnerabilities. How many do you think will go around patching computer BIOS's? (only way to currently mitigate via hardware). I personally use noscript but it's not foolproof either and this would only protect against javascript implementations.
Sorry I'm missing where this is stated, can you link to this please?
Not related to this, but I would never put anything i wanted to be secure in the cloud anyway.
Precisely my concern. My guess many here don't work for a large organizations or are exposed to how large amounts of sensitive data are handled. This is a pretty common thing these days. Especially for finance, HR, and even legal departments to outsource portions of their goods to the cloud.
In this case, cloud would be much more secure than some random PC.
I wouldn't assume that, probably true for the average desktop user but when discussing sensitive PII for organizations that data is normally handled internally usually IT departments (security and networking if big enough) via a series of segmentation techniques with a bunch of industry standard security controls implemented. Highly secure companies are starting to outsource things like security operation centres for monitoring, logging, WAF, which is super useful but also expensive. Audits are performed regularly to check against implement security controls. Having full control (or almost full anyway) over your sensitive data is vital in today's world.
Virtualization has helped with the cost and the storing and moving of data but when issues like Rowhammer are discovered it removes confidence in these technologies. *ALL* cloud companies use some form of virtualization (XEN, KVM, VMWare, Hyper-V etc.) for scalability, reliability and cost reasons so this is why I picked on the cloud. Security is the third pillar that these cloud companies trumpeted as for the reasons to move to them.
Also there's a misconception with cloud security. When you move things into the cloud you rely on the vendor to secure most or all of the infrastructure for you but the data itself is fair game (this is up to developers, security testers, etc to protect as it's very easy to screw this up).
Reducing factors are ECC and the memory capacity. More memory, less chance.
More DRAM or ECC as a protection, sure this can help but do you think the attackers won't attempt to work on faster implementations? The researchers used Javascript on purpose to prove a point.
The important takeaway here is this can be done with Javascript today against a huge number of processors (javascript is among the most common ways to perform remote exploits via drive by attacks, phishing etc).
The following conclusion from the article needs to be taken into consideration as well. This will get worse over time. How well do think ARM technologies will fair, how many smartphones exist today?
"In this paper, we presented Rowhammer.js, an implementation
of the Rowhammer attack using optimal cache
eviction through memory accesses. Although implemented in
JavaScript, the attack technique is independent of the specific
CPU microarchitecture, programming language and runtime
environment, as long as the stream of memory accesses is executed
fast enough. Rowhammer.js is the first remote hardwarefault
attack."
Facebook
Twitter