Re: ECC is not a defense
@DougS,
However, LPDDR4 supports an optional capability called target row refresh (TRR) that effectively eliminates the ability to exploit rowhammer. So no need to add ECC, just use LPDDR4 which newer phones have been doing anyway and make sure it supports TRR.
Interesting. Earlier I speculated that the memory industry hadn't done much to mitigate against rowhammer. Seems I wasn't entirely correct.
This 'optional' feature, I wonder if it's an optional part of the LPDDR4 specification, or a compulsory part of the specification that CPUs can optionally exploit if they want to? Either way, 'optional' sounds like someone somewhere wants to make a fast buck and who cares what the consequences for customers end up being. Booo.
Not for the first time I find myself wishing that the tech industry would take a leaf out of other industries' books. For example Rolls Royce, Pratt & Witney and General Electric are deadly serious competitors, yet they will (and have) drop everything to help out a competitor if they run into a serious safety issue. Reason? Everyone benefits from safer engines, and means a bigger market for everyone. The aviation industry is consequently very safe.
[Apart from the mathematically very dubious decision to allow the EC225 Super Puma helicopter to continue flying with a suspect gearbox so long as it was thoroughly inspected after every flight. I say dubious, because whatever calculation was performed to arrive at 1 flight per inspection cannot reasonably have had zero error bars... It took another fatal crash to get it grounded]
In contrast, too often in the tech sector one company's security fails are seen as another's marketing opportunity.
TRR is optional? Great, thanks guys, thanks for not helping out. Whatever caused that to happen should be been resolved in the standard long before it was published, even if that meant company A giving company B money and assistance to bring that about.