lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 9 Mar 2015 14:37:34 -0700
From:	Mark Seaborn <mseaborn@...omium.org>
To:	Pavel Machek <pavel@....cz>
Cc:	Andy Lutomirski <luto@...capital.net>,
	kernel list <linux-kernel@...r.kernel.org>,
	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Subject: Re: DRAM unreliable under specific access patern

On 9 March 2015 at 14:17, Pavel Machek <pavel@....cz> wrote:
> On Mon 2015-03-09 09:30:50, Andy Lutomirski wrote:
>> On Mon, Mar 9, 2015 at 9:03 AM, Mark Seaborn <mseaborn@...omium.org> wrote:
>> > On 6 January 2015 at 15:20, Pavel Machek <pavel@....cz> wrote:
>> >> Actually, I could not get my test code to run; and as code from
>> >>
>> >> https://github.com/mseaborn/rowhammer-test
>> >>
>> >> reproduces issue for me, I stopped trying. I could not get it to
>> >> damage memory of other process than itself (but that should be
>> >> possible), I guess that's next thing to try.
>> >
>> > FYI, rowhammer-induced bit flips do turn out to be exploitable.  Here
>> > are the results of my research on this:
>> > http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>> >
>>
>> IIRC non-temporal writes will force cachelines out to main memory
>> *and* invalidate them.  (I wouldn't be shocked if Skylake changes
>> this, but I'm reasonably confident that it's true on all currently
>> available Intel chips.)
>>
>> Have you checked whether read; read; nt store; nt store works?
>>
>> (I can't test myself easily right now -- I think my laptop is too old
>> for this issue.)
>
> Well, if you had laptop with that issue, it would still be tricky to
> test this. It takes a while to reproduce...

Actually, it depends.  The time it takes to get a rowhammer-induced
bit flip when picking aggressor addresses at random varies quite a lot
between machines.  On some machines, it takes minutes.  On others, it
takes hours.

However, once you've found a bad DRAM location, the bit flips do tend
to be repeatable.  So it is possible to record the physical addresses
of aggressor and victim locations (using /proc/self/pagemap) and retry
them later, potentially using different methods for attempting to do
row hammering (such as CLFLUSH vs. non-temporal accesses).  I have not
actually tried that with methods other than CLFLUSH yet.  I tried
using non-temporal accesses early on in my experimentation, but I
didn't try them with known-bad locations.

Cheers,
Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ