Date: Mon, 09 Mar 2015 14:37:02 -0700 From: Bakul Shah <bakul@bitblocks.com> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: freebsd-security@FreeBSD.org, Dmitry Morozovsky <marck@rinet.ru> Subject: Re: DRAM Rowhammer exploits Message-ID: <20150309213702.B07A6B827@mail.bitblocks.com> In-Reply-To: Your message of "Mon, 09 Mar 2015 20:46:19 -0000." <70815.1425933979@critter.freebsd.dk> References: <alpine.BSF.2.00.1503092248580.38285@woozle.rinet.ru> <91440.1425930724@critter.freebsd.dk> <20150309202308.64DFBB82A@mail.bitblocks.com> <70815.1425933979@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 09 Mar 2015 20:46:19 -0000 "Poul-Henning Kamp" <phk@phk.freebsd.dk> wrote: > -------- > In message <20150309202308.64DFBB82A@mail.bitblocks.com>, Bakul Shah writes: > >On Mon, 09 Mar 2015 19:52:04 -0000 "Poul-Henning Kamp" <phk@phk.freebsd.dk> > wrote: > > >Hopefully ECC memory protects against such exploits (at least > >makes them a lot less vulnerable). > > ECC only makes it harder, it doesn't make it impossible. According to the small sample in the paper below, the incidence of 3 bit errors is about 4000 times or more lower than single bit errors. These are the errors that may not even get detected by ECC. So not impossible but much better. http://users.ece.cmu.edu/~omutlu/pub/dram-row-hammer_isca14.pdf It also proposes a few solutions. It seems to indicate that reducing refresh time by a factor of 7 (over 64ms) removes such errors. Hopefully this can be done via a firmware upgrade? I don't know if the physical page pool for kernel data can be isolated enough from user data to avoid this. [Probably not. Likely there is no standard way to do map a phys addr to a specific chip/row and diff. mfrs may use diff geometries. Though, perhaps this same phenomenon can be used to infer chip geometry!] Also see: http://users.ece.cmu.edu/~omutlu/pub/dram-row-hammer_kim_talk_isca14.pdf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150309213702.B07A6B827>