S3 Ep143: Supercookie surveillance shenanigans - Latest episode - listen now! (Full transcript inside.) https://nakedsecurity.sophos.com/2023/07/13/s3-ep143-supercookie-surveillance-shenanigans/ #nakedsecuritypodcast #vulnerability #patchtuesday #microsoft #rowhammer #podcast

Wouldn't it completely fix #rowhammer/#rambleed to just..duplicate data, and accept that it's twice the cost for the same space if customers are willing, like RAID for hard drives..

By making the flipped data belong to the "same" data (the two redundant copies of it) and so it couldn't violate any memory protection scheme that any operating system would ever have.

??

[Ed note: this is a really interesting paper, carefully researched and shows how mitigations are not necessarily that good (several across ITsec come to mind) until someone really when someone finally checks their worth]

J. Woo et al., "Scalable and Secure Row-Swap: Efficient and Safe Row Hammer Mitigation in Memory Systems"¹

As Dynamic Random Access Memories (DRAM) scale, they are becoming increasingly susceptible to Row Hammer. By rapidly activating rows of DRAM cells (aggressor rows), attackers can exploit inter-cell interference through Row Hammer to flip bits in neighboring rows (victim rows). A recent work, called Randomized Row-Swap (RRS), proposed proactively swapping aggressor rows with randomly selected rows before an aggressor row can cause Row Hammer.
Our paper observes that RRS is neither secure nor scalable. We first propose the `Juggernaut attack pattern' that breaks RRS in under 1 day. Juggernaut exploits the fact that the mitigative action of RRS, a swap operation, can itself induce additional target row activations, defeating such a defense. Second, this paper proposes a new defense Secure Row-Swap mechanism that avoids the additional activations from swap (and unswap) operations and protects against Juggernaut. Furthermore, this paper extends Secure Row-Swap with attack detection to defend against even future attacks. While this provides better security, it also allows for securely reducing the frequency of swaps, thereby enabling Scalable and Secure Row-Swap. The Scalable and Secure Row-Swap mechanism provides years of Row Hammer protection with 3.3X lower storage overheads as compared to the RRS design. It incurs only a 0.7% slowdown as compared to a not-secure baseline for a Row Hammer threshold of 1200.

#arXiv #ResearchPapers #RowHammer #RandomizedRowSwap #SecureRowSwap
__
¹ https://arxiv.org/abs/2212.12613

M. Marazzi et al., "REGA: Scalable Rowhammer Mitigation with Refresh-Generating Activations"¹

Mitigating Rowhammer requires performing addi- tional refresh operations to recharge DRAM rows before bits start to flip. These refreshes are scarce and can only happen periodically, impeding the design of effective mitigations as newer DRAM substrates become more vulnerable to Rowhammer, and more “victim” rows are affected by a single “aggressor” row.
We introduce REGA, the first in-DRAM mechanism that can generate extra refresh operations each time a row is activated. Since row activations are the sole cause of Rowhammer, these extra refreshes become available as soon as the DRAM device faces Rowhammer-inducing activations. Refresh operations are traditionally performed using sense amplifiers. Sense amplifiers, however, are also in charge of handling the read and write operations. Consequently, the sense amplifiers cannot be used for refreshing rows during data transfers. To enable refresh operations in parallel to data transfers, REGA uses additional low-overhead buffering sense amplifiers for the sole purpose of data transfers. REGA can then use the original sense amplifiers for parallel refresh operations of other rows during row activations.
The refreshes generated by REGA enable the design of simple and scalable in-DRAM mitigations with strong security guarantees. As an example, we build REGAM, the first deterministic in- DRAM mitigation that scales to small Rowhammer thresholds while remaining agnostic to the number of victims per aggressor. REGAM has a constant 2.1% area overhead, and can protect DDR5 devices with Rowhammer thresholds as small as 261, 517, and 1029 with 23.9%, 11.5%, and 4.7% more power, and 3.7%, 0.8% and 0% performance overhead.

#Semiconductors #Rowhammer #DRAM #ResearchPapers
__
¹ (Warning: PDF) https://comsec.ethz.ch/wp-content/files/rega_sp23.pdf

@bitzbyte @brunoc And for that to work, you need bricks that won't crumble after a heatwave and a storm.

For example, DRAM is really, really bad at security... the mitigations mfgs added to defeat #Rowhammer style attacks were found to make the problem worse overall. #Spectre vulns are another example of basic flaws. Going up a layer, large monolithic kernels have indeed proven to be a fundamental security flaw (Tanenbaum was right).

Overall, "security in depth" has failed. For one thing, there are already too many layers to attack, and SID measures tend to add layers and they do it as just another feature embedded within a gigantic kernel. The marketing and lingo that surrounds it is very impressive, which is itself a problem.

RT from Antmicro (@antmicro)

Next addition to our #opensource series of #DRAM testers is an #FPGA-based #DDR5 board that will help to devise #Rowhammer attack countermeasures & experiment with state-of-the-art data center memory modules: https://antmicro.com/blog/2022/08/open-hardware-ddr5-tester/. @GoogleOSS @risc_v @XilinxInc @CHIPSAlliance

Original tweet : https://twitter.com/antmicro/status/1556616723859734529

RT @antmicro@twitter.com

Next addition to our #opensource series of #DRAM testers is an #FPGA-based #DDR5 board that will help to devise #Rowhammer attack countermeasures & experiment with state-of-the-art data center memory modules: https://antmicro.com/blog/2022/08/open-hardware-ddr5-tester/. @GoogleOSS@twitter.com @risc_v@twitter.com @XilinxInc@twitter.com @CHIPSAlliance@twitter.com

🐦🔗: https://twitter.com/antmicro/status/1556616723859734529

#BIG_TECH | #DDR4 #Memory protections are #broken wide open by NEW #Rowhammer technique. Rowhammer #attacks work by #accessing—or #hammering—physical rows inside vulnerable #chips #millions of times #per_second in ways that cause bits in neighboring rows to #flip..

https://arstechnica.com/gadgets/2021/11/ddr4-memory-is-even-more-susceptible-to-rowhammer-attacks-than-anyone-thought/

Disclaimer: DavidV.TV and/or its owners (Tastingtraffic LLC) are not affiliates of this provider or referenced image used and this is NOT a Sponsored (Paid) Promotion/Reshare.

@profoundlynerdy 5/ So let's say, you read a release about #ROWHAMMER. If you've been trained only on Ruby, how will your understanding compare to if you have been trained in how memory works electrically? How will it inform your response?

Introducing Half-Double: New hammering technique for DRAM Rowhammer bug - Research Team: Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu & Mattias N... http://feedproxy.google.com/~r/GoogleOnlineSecurityBlog/~3/Y2QoJFBaTug/introducing-half-double-new-hammering.html #rowhammer #security

S3 Ep29: Anti-tracking, rowhammer problems and IoT vulns [Podcast] - Latest episode - listen now! https://nakedsecurity.sophos.com/2021/04/22/s3-ep29-anti-tracking-rowhammer-problems-and-iot-vulns-podcast/ #nakedsecuritypodcast #vulnerability #rowhammer #tracking #mozilla #podcast #privacy #firefox #iot

Serious Security: Rowhammer is back, but now it’s called SMASH - Simply put: reading from RAM in your program could write to RAM in someone else's https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-back-but-now-its-called-smash/ #vulnerability #dataleakage #rowhammer #trrespass #hacking #smash #dram

TRRespass research reveals rowhammering is alive and well - "TRRespass" is a new trick for rowhammering - an attack where you write to a memory chip by readin... more: https://nakedsecurity.sophos.com/2020/03/11/trrepass-research-reveals-rowhammering-is-alive-and-well/ #vulnerability #rowhammer #trrespass #dram

The cloud is full of phantom trolleys armed with hammers.
https://xkcd.com/1938/
#Meltdown #Spectre #RowHammer #XKCD

Everyone seems so surprised about #meltdown and #spectre. I just wondered why we never had hardware bug of this scale... maybe it was because we had one all along. After #rowhammer and #ROCA I thought "any time now"

The cheapest VPS I rent today costs $60/year: that's 1GB of RAM and shared access to 1 fast CPU core. Fast storage, fast networking.

Vulnerable to #meltdown, #spectre, #rowhammer, VPS provider compromise.

Last month I spent $48 on an Android set-top box. Have root, Debian. That's 4 mediocre dedicated CPU cores, 1GB of RAM, shitty storage, slow networking. Vulnerable to home intruders.

Which is better will depend on the use-case... but hardware-base privacy and security needn't be expensive.

I wonder if an attacker could escalate privileges and/or achieve ring0 write access by combining #RowHammer with #Meltdown and/or #Spectre.

#intelbug #KPTI #PTI #KAISER #infosec