Row hammer

is your hardware vulnerable to this? can it be mitigated?

1 Like

Hi.

Row hammer at this point is just a proof of concept, to my knowledge. It is highly unlikely as a vector of attack, as for now, this proof of concept works only for a specific cases. But you probably want to check more reliable source of information for this.

Our RAM is non-ECC RAM, but some sources state that ECC cannot help with this attack (check here: https://en.wikipedia.org/wiki/Row_hammer#Mitigation).

I’ll post a follow-up if I get more info about this.

Hi pixel, thanks for this post, I didn’t know about this attack vector before, very interesting !

This is a very low-level attack, which can be executed from a very high-level; like Javascript :

https://en.wikipedia.org/wiki/Row_hammer#Exploits

This is pretty serious.

Thankfully, there are ways to mitigate this :

(1) Pejakovic is right - ECC is useless

(2) Increase memory refresh interval : default is 64 ms.

(3) Use DDR4 chips with TRR feature

===
For the moment, we can do point 2.

In the future, Purism might be interested to use these TRR DDR4 memory chips.

cheers, HS

FWIW, in digging around the Librem 15 BIOS I noticed an option for Rowhammer mitigation (don’t remember exactly where). There was a choice between 2x refresh and some sort of hardware mitigation. The hardware mitigation was selected by default, which I assume means that hardware actually exists and thus the machine is not vulnerable.

Heres a test you can try https://github.com/google/rowhammer-test

HS, is increasing the memory refresh rate done in bios, os, or either? could you try googles test on the 13 and 15?

Scott, any chance you can find that part of the bios and take a pic?

HOLY COW - Scott thank you, indeed Librem 15 already anti-Rowhammer capabilities built-in !! :smiley: this is really cool !

I’ve got the screenshots, will post it ASAP !

cheers, HS

Doh I fell asleep, sorry :slight_smile: here you go :

Get into BIOS by pressing F2 during boot.

Then choose menu Chipset - Memory Configuration :

Then you’ll see all of these settings - include several for anti- Rowhammer capabilities ! :slight_smile:

1 Like

Uploaded to imgur, into this gallery : http://imgur.com/gallery/IiAoU

  1. Rowhammer is a real attack. Proof of concepts have been published. See same wikipedia article.

  2. ECC does help. It’s extremely unlikely that you’ll get three-bit bitflips without first getting one- and two-bit bitflips. This means that ECC does detect an attack, and action upon detection can be to shut down the machine, effectively stopping the attack.

But I see here that the bios is proprietary, I thought it was coreboot? Or do you have a rev1 model while the rev2 models use coreboot?

Coreboot is ported for Librem 13. Librem 15 is still using traditional BIOS.

ECC does help.

I was happy to see that I was wrong, then :

“It’s extremely unlikely that you’ll get three-bit bitflips without first getting one- and two-bit bitflips. This means that ECC does detect an attack, and action upon detection can be to shut down the machine, effectively stopping the attack”

Shutting down the machine may not be a feasible solution to some ; especially in a server which requires 24/7 uptime.

I am happy to see that Librem is capable to protect us against Rowhammer attack, without doing anything disruptive. Well done.

cheers, HS