![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
cageymaru
Fully [H]
- Joined
- Apr 10, 2003
- Messages
- 21,912
VUSec researchers at Vrije Universiteit Amsterdam have provided evidence that ECC memory is susceptible to the unpatchable Rowhammer bitflip vulnerability in memory chips. The Rowhammer exploit is when DRAM memory chips are hammered with so many reads and writes at one particular location that it causes a bit to flip from 1 to 0, or from 0 to 1 in a completely different location. Attackers can compromise PCs, smartphones, VM, across the network on a remote server and even with JavaScript. The research was done on DDR3, but it is expected to work on DDR4 also.
Initially ECC memory was thought to be immune to these attacks because ECC memory stores redundant information that the CPU uses to detect and repair the bit flips. Researchers reverse engineered ECC memory to discover how it worked. When one flip is detected, ECC memory redundancy can repair the bit flip. When 2 are detected, ECC memory will crash the program. But when 3 bits are flipped at once, it is undetectable, and researchers can silently exploit the system. Researchers found that they can reliably find bit flips that are corrected by ECC. They can detect these flips with a side channel attack that was discovered. Then researchers combine these bit flips such that ECC cannot correct or detect the bit flips. These attacks can be pulled off via an unprivileged remote shell so physical access is not needed.
Do you need physical access for ECCploit? No. While we use several techniques that require physical access to reverse engineer the ECC engine, the attack works via an unprivileged remote shell. The gist is that an attacker gathers information about the ECC engine in his own secluded/controlled environment that is similar to the target system. Then, using this information, they can launch the attack.
I provide a cloud service, what should I do now? Make sure that the error reporting software stack is working and that the system safely reacts to ECC errors. The handling of ECC errors in software problem was already mentioned by Mark Seaborn and Dan Kaminsky. On recent platforms, the ECC engine logs the errors at firmware level. On the long run, you should phase out memory/setup that is susceptible to Rowhammer. Remember, this attack combines multiple correctable errors to trigger undetectable (silent corruption) errors.
Initially ECC memory was thought to be immune to these attacks because ECC memory stores redundant information that the CPU uses to detect and repair the bit flips. Researchers reverse engineered ECC memory to discover how it worked. When one flip is detected, ECC memory redundancy can repair the bit flip. When 2 are detected, ECC memory will crash the program. But when 3 bits are flipped at once, it is undetectable, and researchers can silently exploit the system. Researchers found that they can reliably find bit flips that are corrected by ECC. They can detect these flips with a side channel attack that was discovered. Then researchers combine these bit flips such that ECC cannot correct or detect the bit flips. These attacks can be pulled off via an unprivileged remote shell so physical access is not needed.
Do you need physical access for ECCploit? No. While we use several techniques that require physical access to reverse engineer the ECC engine, the attack works via an unprivileged remote shell. The gist is that an attacker gathers information about the ECC engine in his own secluded/controlled environment that is similar to the target system. Then, using this information, they can launch the attack.
I provide a cloud service, what should I do now? Make sure that the error reporting software stack is working and that the system safely reacts to ECC errors. The handling of ECC errors in software problem was already mentioned by Mark Seaborn and Dan Kaminsky. On recent platforms, the ECC engine logs the errors at firmware level. On the long run, you should phase out memory/setup that is susceptible to Rowhammer. Remember, this attack combines multiple correctable errors to trigger undetectable (silent corruption) errors.
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1677728934){kind=avatar}
