The ECCploit Proves ECC RAM Is Susceptible to Rowhammer Attacks

Discussion in 'HardForum Tech News' started by cageymaru, Nov 23, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Apr 10, 2003
    VUSec researchers at Vrije Universiteit Amsterdam have provided evidence that ECC memory is susceptible to the unpatchable Rowhammer bitflip vulnerability in memory chips. The Rowhammer exploit is when DRAM memory chips are hammered with so many reads and writes at one particular location that it causes a bit to flip from 1 to 0, or from 0 to 1 in a completely different location. Attackers can compromise PCs, smartphones, VM, across the network on a remote server and even with JavaScript. The research was done on DDR3, but it is expected to work on DDR4 also.

    Initially ECC memory was thought to be immune to these attacks because ECC memory stores redundant information that the CPU uses to detect and repair the bit flips. Researchers reverse engineered ECC memory to discover how it worked. When one flip is detected, ECC memory redundancy can repair the bit flip. When 2 are detected, ECC memory will crash the program. But when 3 bits are flipped at once, it is undetectable, and researchers can silently exploit the system. Researchers found that they can reliably find bit flips that are corrected by ECC. They can detect these flips with a side channel attack that was discovered. Then researchers combine these bit flips such that ECC cannot correct or detect the bit flips. These attacks can be pulled off via an unprivileged remote shell so physical access is not needed.

    Do you need physical access for ECCploit? No. While we use several techniques that require physical access to reverse engineer the ECC engine, the attack works via an unprivileged remote shell. The gist is that an attacker gathers information about the ECC engine in his own secluded/controlled environment that is similar to the target system. Then, using this information, they can launch the attack.

    I provide a cloud service, what should I do now? Make sure that the error reporting software stack is working and that the system safely reacts to ECC errors. The handling of ECC errors in software problem was already mentioned by Mark Seaborn and Dan Kaminsky. On recent platforms, the ECC engine logs the errors at firmware level. On the long run, you should phase out memory/setup that is susceptible to Rowhammer. Remember, this attack combines multiple correctable errors to trigger undetectable (silent corruption) errors.
  2. TheOne&OnlyZeke

    TheOne&OnlyZeke 100% Irish

    Jul 21, 2000
    Once they switch the flip, you're done! Satellites! The 'Net! Cell phones! Chips! The dentist...!

    AceGoober and Armenius like this.
  3. dgz

    dgz [H]ardness Supreme

    Feb 15, 2010
    You can always switch to 100% Amish
    AceGoober, alxlwson and cageymaru like this.
  4. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Oct 29, 2000
    Jeez. Whats up with all these hardware vulnerabilities lately?

    It's almost as if no one had thought of testing for hardware vulnerabilities before Spectre/Meltdown, and now all of a sudden everyone is checking out hardware and finding a ton of shit.
    cageymaru likes this.
  5. MNKyDeth

    MNKyDeth Limp Gawd

    Apr 5, 2005
    Makes me wonder if my Tnady 64k color computer that still works is vulnerable. Oh wait... It doesn't have internet..... No issues then from remote attacks. Time to start unplugging the net if it's not needed for a period of time?
  6. velusip

    velusip [H]ard|Gawd

    Jan 24, 2005
    I think it has more to do with a rising expectation for security. These flaws have been around a long time (albeit not well known), but public scrutiny is only becoming a thing as of late. It's a good thing.
    AceGoober likes this.
  7. Grebuloner

    Grebuloner Gawd

    Jul 31, 2009
    Air-gap hacking is a real thing being worked on that is apparently showing promise. Though I doubt there's much worth taking from a Tandy these days ;)
  8. nutzo

    nutzo [H]ardness Supreme

    Feb 15, 2004
    Still have one sitting in my closet. Hasn't seen the light of day for at least 10 years. :eek:

    So they either need access to study you system, or they need a similar system to run test on.
    So, someone has to know about your system hardware, have enough interest/desire to setup similar hardware to create this exploit, then manage to get the software on your server to compromise the system.

    This sounds about as likely to happen as getting hit by lighting, twice, on the same day.
    Pocatello likes this.
  9. Prisoner849

    Prisoner849 Gawd

    May 5, 2016
    And in the same place. But, 'can' isn't 'can't', so....
  10. cdabc123

    cdabc123 2[H]4U

    Jun 21, 2016
    isnt this issue prominent in all computer ever? if you can freely flip the bits on the ram you already won. ecc ram just take 3 instead of 1 bit fliping
  11. UrielDagda

    UrielDagda 2[H]4U

    Nov 16, 2004
    I think they're going to eventually prove that there is no way to create unhackable hardware... At least not without gimping it so hard that the vast majority of the hardware's power goes to defending itself against attacks.