ECC wont help, you need row access counters(target row refresh/TRR) directly in ram chips, or in memory controller. With switch to DDR4 JEDEC had a chance of standardizing those mitigations, but that would cost additional cents per chip, cant have that!
Do you have any links to more information on that? Googling "row access counters" leads to a lot of comments you've made on the internet, and nothing else.
I'm skeptical that "ECC won't help," that's not a commonly held opinion. It might be true but it'd be interesting to read some actual analysis as to why.
From the original paper, "For example, SECDED (single error-correction, double error detection) can correct only a single-bit error within a 64-bit word. If a word contains two victims, however, SECDED cannot correct the resulting double-bit error. And for three or more victims, SECDED cannot even detect the multi-bit error,leading to silent data corruption. Therefore, we conclude that SECDED is not failsafe against disturbance errors."
The challenge for the attacker is to produce a 3 or more bit failure before a 2-bit failure occurs, which would trigger some alarms. I haven't seen any research on the feasibility of such an attack.
Additionally, there are stronger ECC schemes than SECDED, for example the one in IBM's ChipKill. It is hard to imagine a RowHammer attack that could remain undetected with such a scheme.
It is fair to say that ECC memory raises the bar for attackers.
ECC doesn't solve rowhammer, but it raises the difficulty.
If you only get a single bit error, ECC will fix it, and increase a counter / raise a usually slow interrupt, if you get a lot of them, perf will be impacted, and the operator should notice.
If you get a double bit error, ECC will (generally) halt the os, and the operator will definitely notice. -- you won't get to try very much.
If you get a multi bit error, maybe you can do your nefarious task.
And TRR itself is not sufficient. From the paper "The idea of TRR is to refresh adjacent rows if the targeted row is accessed at a high frequency. More specifically, TRR works with a maximum number of activations allowed during one refresh cycle, the maximum active count. Thus, if a double-sided Rowhammer attack (Section 2.2) is mounted, and two hammered rows are accessed more than the defined maximum active count, the adjacent rows (in particular the victim row of the attack) will be refreshed. As the potential victim
rows are refreshed, in theory, no bit flip will occur, and the attack is mitigated. However, in practice, bit flips can be further away from the hammered rows and thus TRR may be ineffective"
I read that paper. Next iteration or TRR could have cascaded adders with dividers for X neighbor rows. But first we need JEDEC to grab current industry players by the throat and force their colluding asses to at least start doing something by adopting TRR in desktop/server products :(
> Throwhammer works by registering a large amount of memory space called a buffer on the network card of the targeted device. [1]
> Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled
line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using
Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high
enough to induce bit flips. [2]
Looks like this doesn’t depend on direct memory access. Judging from the devices, it’ll also work at lower speeds, whereas throwhammer requires multi-gbps.
18 comments
[ 3.0 ms ] story [ 54.7 ms ] threadI'm skeptical that "ECC won't help," that's not a commonly held opinion. It might be true but it'd be interesting to read some actual analysis as to why.
The challenge for the attacker is to produce a 3 or more bit failure before a 2-bit failure occurs, which would trigger some alarms. I haven't seen any research on the feasibility of such an attack.
Additionally, there are stronger ECC schemes than SECDED, for example the one in IBM's ChipKill. It is hard to imagine a RowHammer attack that could remain undetected with such a scheme.
It is fair to say that ECC memory raises the bar for attackers.
If you only get a single bit error, ECC will fix it, and increase a counter / raise a usually slow interrupt, if you get a lot of them, perf will be impacted, and the operator should notice.
If you get a double bit error, ECC will (generally) halt the os, and the operator will definitely notice. -- you won't get to try very much.
If you get a multi bit error, maybe you can do your nefarious task.
> Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. [2]
[1]: https://arstechnica.com/information-technology/2018/05/attac...
[2]: https://arxiv.org/pdf/1805.04956.pdf
Nethammer: > 1 024 000 packets per second over a 500 Mbit/s connection ......Hence, we conclude that in theory...
Both currently at best lead to server crash, and are highly impractical.