Reply to post: Re: Rowhammer/JackHammer

Rowhammer rides again as FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc

Anonymous Coward
Anonymous Coward

Re: Rowhammer/JackHammer

After doing more reading, the main examples I can find are:

Parity RAM - detects a single bit error per symbol where a symbol is usually 8 bits. Included for completeness.

ECD RAM - corrects a single bit error and detects two-bit errors per symbol using either 16, 32 or 64-bit symbols based on Hsaio or hamming codes. Hamming with SEC-DED is most common and uses an additional parity bit to ensure any two bit error can be identified for a total of 10 bits for every 8 bits of data (i.e. 72-bit ECC for 64-bit memory buses or 144-bit ECC for 128-bit memory buses).

RAID - RAM banks are mirrored with additional parity to detect errors in one bank

Chipkill - each bit in a symbol is written to individual DRAM chips with BCH coding used to correct one bit errors in a 4-bit symbol or detect 2-bit errors in a 4 bit symbol. This also has additional hardware steps such as hourly scrubbing to detect problem DRAM chips.

Note: there are more - Hsaio//hamming/BCH codes all allow for correcting/detecting higher bit counts with additional bits per symbol but finding if they are implemented is time consuming.

RAID/Chipkill should be immune to Rowhammer/Jackhammer/ECCploit as they target flaws in individual DRAM chips causing adjacent bits to flip - while the bit flipping should still happen given enough time, it will likely be caught and corrected be the correction schemes. EDC will fail if you manage to flip 3 bits or more (i.e. the target bit to change plus its two neighbours).

In addition, DDR4 was thought to be less vulnerable to Rowhammer than DDR3 due to differences in how refreshes are carried out (for scaling sizes, targeted row refresh is used) and although there are still vulnerabilities with specific data patterns, combining DDR4 and EDC is likely to reduce the potential for a successful attack (which is hinted at on the ECCploit site as they don't specifically test DDR4 with ECC due to the number of variables required to test i.e. getting sufficient DDR4 hardware, determining the ECC scheme used for each tyope and then finding the pattern required to trigger the fault with targeted row refresh enabled)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020