Row hammer

pixel · September 13, 2016, 11:34pm

is your hardware vulnerable to this? can it be mitigated?

mladen · September 15, 2016, 5:06pm

Hi.

Row hammer at this point is just a proof of concept, to my knowledge. It is highly unlikely as a vector of attack, as for now, this proof of concept works only for a specific cases. But you probably want to check more reliable source of information for this.

Our RAM is non-ECC RAM, but some sources state that ECC cannot help with this attack (check here: https://en.wikipedia.org/wiki/Row_hammer#Mitigation).

I’ll post a follow-up if I get more info about this.

Harry · September 16, 2016, 7:07am

Hi pixel, thanks for this post, I didn’t know about this attack vector before, very interesting !

This is a very low-level attack, which can be executed from a very high-level; like Javascript :

https://en.wikipedia.org/wiki/Row_hammer#Exploits

This is pretty serious.

Thankfully, there are ways to mitigate this :

(1) Pejakovic is right - ECC is useless

(2) Increase memory refresh interval : default is 64 ms.

(3) Use DDR4 chips with TRR feature

===
For the moment, we can do point 2.

In the future, Purism might be interested to use these TRR DDR4 memory chips.

cheers, HS

Scott1 · September 17, 2016, 7:44am

FWIW, in digging around the Librem 15 BIOS I noticed an option for Rowhammer mitigation (don’t remember exactly where). There was a choice between 2x refresh and some sort of hardware mitigation. The hardware mitigation was selected by default, which I assume means that hardware actually exists and thus the machine is not vulnerable.

pixel · September 19, 2016, 8:53am

Heres a test you can try https://github.com/google/rowhammer-test

HS, is increasing the memory refresh rate done in bios, os, or either? could you try googles test on the 13 and 15?

Scott, any chance you can find that part of the bios and take a pic?

Harry · September 19, 2016, 11:42am

HOLY COW - Scott thank you, indeed Librem 15 already anti-Rowhammer capabilities built-in !! this is really cool !

I’ve got the screenshots, will post it ASAP !

cheers, HS

Harry · September 19, 2016, 9:20pm

Doh I fell asleep, sorry here you go :

Get into BIOS by pressing F2 during boot.

Then choose menu Chipset - Memory Configuration :

Then you’ll see all of these settings - include several for anti- Rowhammer capabilities !

Harry · September 19, 2016, 9:21pm

Uploaded to imgur, into this gallery : http://imgur.com/gallery/IiAoU

Bob1 · September 20, 2016, 8:36am

Rowhammer is a real attack. Proof of concepts have been published. See same wikipedia article.
ECC does help. It’s extremely unlikely that you’ll get three-bit bitflips without first getting one- and two-bit bitflips. This means that ECC does detect an attack, and action upon detection can be to shut down the machine, effectively stopping the attack.

bavay · September 20, 2016, 4:08pm

But I see here that the bios is proprietary, I thought it was coreboot? Or do you have a rev1 model while the rev2 models use coreboot?

mladen · September 20, 2016, 8:28pm

Coreboot is ported for Librem 13. Librem 15 is still using traditional BIOS.

Harry · September 21, 2016, 6:13am

ECC does help.

I was happy to see that I was wrong, then :

“It’s extremely unlikely that you’ll get three-bit bitflips without first getting one- and two-bit bitflips. This means that ECC does detect an attack, and action upon detection can be to shut down the machine, effectively stopping the attack”

Shutting down the machine may not be a feasible solution to some ; especially in a server which requires 24/7 uptime.

I am happy to see that Librem is capable to protect us against Rowhammer attack, without doing anything disruptive. Well done.

cheers, HS