[Cryptography] "Flip Feng Shui: Hammering a Needle in the Software Stack"

Bill Frantz frantz at pwpconsult.com
Sat Sep 3 15:09:59 EDT 2016 

On 9/2/16 at 7:56 AM, leichter at lrw.com (Jerry Leichter) wrote:

>Yes, this attack does show that hardware that's vulnerable to 
>this attack simply cannot be trusted to run the software you 
>think it's supposed to be running.

Jerry hits the nail on the head here. The bug is unreliable 
hardware. Rowhammer raises the probability of this bug 
occurring, but it could occur without an attack. So the short 
answer is, "Fix the hardware." Any other fix is a bandaid.

There are a couple of hardware fixes mentioned in the paper. 
DDR4 chips apparently refresh more often in areas that are 
frequently hit, which might be enough. Otherwise, ECC checked 
memory has been around for a long time, since the days of the 
IBM 370 at least. ECC can be set up to correct n bit errors and 
detect m bit errors where m>n. Getting more protection requires 
more bits to store the ECC check code, but memory is cheap. The 
good news is that you can probably figure out how to use the old 
memory chips/boards, which will lower the cost. The bad news is 
that the problem could be in the cache memory on the CPU chips, 
which would require new CPU chips. (Intel smiles.)

So the question is, what values do we need for n and m in a 
system under attack?

While I'm asking questions, I'll echo Jerry in asking about ECC 
key vulnerability?

In the real world, if the probability of failure without attack 
is at all significant, fixed hardware could be a marketing point 
for a cloud provider, even without the attack. "Our systems get 
the right answer more often than our competitor's systems." Even 
if the probability is too small to worry about, protection 
against this attack would be an attractive marketing pitch.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506      | it.                          | 16345 
Englewood Ave
www.pwpconsult.com |              - Scott McNealy | Los Gatos, 
CA 95032

More information about the cryptography mailing list