Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Mar 2015 12:15:49 -0500
From:      Leif Pedersen <bilbo@hobbiton.org>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: DRAM Rowhammer exploits
Message-ID:  <CAK-wPOjqJ7bWSJ-X6CkdjdABZsd7NBVHz0UoH312LRS=aMVHWw@mail.gmail.com>
In-Reply-To: <54FE12CE.1000401@digiware.nl>
References:  <alpine.BSF.2.00.1503092248580.38285@woozle.rinet.ru> <54FE12CE.1000401@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
I have a suggestion. As a simpler measure, would it be possible to
implement a test at boot time to determine whether the system is
vulnerable? I guess such a test would have to run in the kernel to get the
particular memory mapping required. The result would naturally emit a
kernel message, but it would be much easier to monitor for automatically if
it also set a read-only sysctl.

For sure at my company, I would add an alert for such a test on our most
accessible systems. I could easily replace any affected hardware on our DMZ
and edge networks if I can identify it easily. For that matter, some
hardware may not need replacing if I diddle with the over-clocker's BIOS
settings. Ongoing monitoring matters because I'd hate to have someone swap
hardware or reset the BIOS in an emergency and not know they opened the
vulnerability.

If the hardware can be worked around, that's very helpful, but the
proposals sound like they'd have fairly severe performance impacts and/or
be impossible to guarantee for all hardware. On many of our systems,
multi-user security is just not an issue, and for them I would choose
performance over fixing this problem or replacing the hardware. Indeed, I
would keep the hardware removed from sensitive systems to reuse in more
protected environments.

In any case, I would think that having a reliable test would be very
helpful to most of this audience. Without it, I'm fumbling in the dark.
Does anyone empathize with this?

- Leif

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK-wPOjqJ7bWSJ-X6CkdjdABZsd7NBVHz0UoH312LRS=aMVHWw>