1 comment

[ 2.5 ms ] story [ 9.1 ms ] thread
This is bananas.

We've known for about 2 years now that Rowhammer is nominally possible. This research is interesting, because it blows away all of our assumptions about mitigations to Rowhammer: it even defeats all of them _at the same time_.

For example: it turns out it's not necessary to hammer multiple DRAM rows to trigger the bug, you can just go after a single location. This makes the attack more stealthy but also faster. They've developed new techniques for deterministically modifying userspace binaries without exhausting memory. Preventing exhaustion-based page placement was thought to prevent Rowhammer attacks, but it turns that's not necessary either. The new technique is crazy clever, exploiting specific performance tweaks in the Linux page cache to place a page right where they want it (in physical RAM). They also made the techniques for memory pattern mapping (spraying and grooming) much, much more subtle, making it harder to track the attack from stats. And, in a final coup de grace, they shoved all of this into Intel SGX, which does a mostly-good job of hiding this from the rest of the system (including the kernel), by design. In particular, you can't look at performance counters anymore to know that something is banging the heck out of something, because SGX bypasses those.

The "obvious" attack is to go after sudo to get root. They do that. Another cool one is that SGX, when it detects tampering, will _halt the entire damn box_ until you power cycle it. So turns out you can cause some pretty serious havoc :)