cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
21,090
VUSec researchers at Vrije Universiteit Amsterdam have provided evidence that ECC memory is susceptible to the unpatchable Rowhammer bitflip vulnerability in memory chips. The Rowhammer exploit is when DRAM memory chips are hammered with so many reads and writes at one particular location that it causes a bit to flip from 1 to 0, or from 0 to 1 in a completely different location. Attackers can compromise PCs, smartphones, VM, across the network on a remote server and even with JavaScript. The research was done on DDR3, but it is expected to work on DDR4 also.

Initially ECC memory was thought to be immune to these attacks because ECC memory stores redundant information that the CPU uses to detect and repair the bit flips. Researchers reverse engineered ECC memory to discover how it worked. When one flip is detected, ECC memory redundancy can repair the bit flip. When 2 are detected, ECC memory will crash the program. But when 3 bits are flipped at once, it is undetectable, and researchers can silently exploit the system. Researchers found that they can reliably find bit flips that are corrected by ECC. They can detect these flips with a side channel attack that was discovered. Then researchers combine these bit flips such that ECC cannot correct or detect the bit flips. These attacks can be pulled off via an unprivileged remote shell so physical access is not needed.

Do you need physical access for ECCploit? No. While we use several techniques that require physical access to reverse engineer the ECC engine, the attack works via an unprivileged remote shell. The gist is that an attacker gathers information about the ECC engine in his own secluded/controlled environment that is similar to the target system. Then, using this information, they can launch the attack.

I provide a cloud service, what should I do now? Make sure that the error reporting software stack is working and that the system safely reacts to ECC errors. The handling of ECC errors in software problem was already mentioned by Mark Seaborn and Dan Kaminsky. On recent platforms, the ECC engine logs the errors at firmware level. On the long run, you should phase out memory/setup that is susceptible to Rowhammer. Remember, this attack combines multiple correctable errors to trigger undetectable (silent corruption) errors.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,076
Jeez. Whats up with all these hardware vulnerabilities lately?

It's almost as if no one had thought of testing for hardware vulnerabilities before Spectre/Meltdown, and now all of a sudden everyone is checking out hardware and finding a ton of shit.
 

MNKyDeth

Limp Gawd
Joined
Apr 5, 2005
Messages
163
Makes me wonder if my Tnady 64k color computer that still works is vulnerable. Oh wait... It doesn't have internet..... No issues then from remote attacks. Time to start unplugging the net if it's not needed for a period of time?
 

velusip

[H]ard|Gawd
Joined
Jan 24, 2005
Messages
1,579
Jeez. Whats up with all these hardware vulnerabilities lately?

It's almost as if no one had thought of testing for hardware vulnerabilities before Spectre/Meltdown, and now all of a sudden everyone is checking out hardware and finding a ton of shit.
I think it has more to do with a rising expectation for security. These flaws have been around a long time (albeit not well known), but public scrutiny is only becoming a thing as of late. It's a good thing.
 

Grebuloner

[H]ard|Gawd
Joined
Jul 31, 2009
Messages
1,217
Makes me wonder if my Tnady 64k color computer that still works is vulnerable. Oh wait... It doesn't have internet..... No issues then from remote attacks. Time to start unplugging the net if it's not needed for a period of time?

Air-gap hacking is a real thing being worked on that is apparently showing promise. Though I doubt there's much worth taking from a Tandy these days ;)
 

nutzo

Supreme [H]ardness
Joined
Feb 15, 2004
Messages
7,380
Makes me wonder if my Tnady 64k color computer that still works is vulnerable. Oh wait... It doesn't have internet..... No issues then from remote attacks. Time to start unplugging the net if it's not needed for a period of time?

Still have one sitting in my closet. Hasn't seen the light of day for at least 10 years. :eek:


While we use several techniques that require physical access to reverse engineer the ECC engine, the attack works via an unprivileged remote shell. The gist is that an attacker gathers information about the ECC engine in his own secluded/controlled environment that is similar to the target system. Then, using this information, they can launch the attack.

So they either need access to study you system, or they need a similar system to run test on.
So, someone has to know about your system hardware, have enough interest/desire to setup similar hardware to create this exploit, then manage to get the software on your server to compromise the system.

This sounds about as likely to happen as getting hit by lighting, twice, on the same day.
 

cdabc123

2[H]4U
Joined
Jun 21, 2016
Messages
3,880
isnt this issue prominent in all computer ever? if you can freely flip the bits on the ram you already won. ecc ram just take 3 instead of 1 bit fliping
 

UrielDagda

2[H]4U
Joined
Nov 16, 2004
Messages
2,844
I think they're going to eventually prove that there is no way to create unhackable hardware... At least not without gimping it so hard that the vast majority of the hardware's power goes to defending itself against attacks.
 
Top