[Cryptography] How to make rowhammer less likely

[Natanael]

Den tis 19 juni 2018 18:27Bill Frantz <frantz at pwpconsult.com> skrev:

> On 6/16/18 at 12:54 PM, guus at sliepen.org (Guus Sliepen) wrote:
>
> >the only thing you can do is halt or reboot, which is not
> >desirable.
>
> For most programs, death before confusion is the right answer.
> If the program is part of a security system, even more so.
>
> Consider electronic building locks. When the power fails, do you
> open the doors or leave them locked? I think the solution
> generally used is to leave the building locked except to those
> who have a physical key. Similar solutions can be used for
> computer security systems.
>

+1

At most you could label some memory as sensitive and some as not sensitive.
However I don't exactly expect most developers to use it correctly...

But if say all CPU instructions always were stored encrypted in RAM, as
well as stacks and related important data structures, while leaving for
example most client application data in plaintext (unless the application
asks for encryption), then malware using rowhammer could only plausibly
target application data in RAM, but not target code or access controls. It
couldn't escalate privileges outside its sandbox, but for example
Javascript in a browser iframe could potentially insert a call home into
the page it's embedded in unless the browser also opts in to encrypt the
runtime memory.

IMHO it's better to restart a failed process than let it keep running after
being targeted by rowhammer or otherwise getting the memory corrupted.
Designing software to be crash tolerant is simply more effective.

> <http://www.metzdowd.com/mailman/listinfo/cryptography>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180620/897b89a4/attachment.html>