Fwd: [Cryptography] "Flip Feng Shui: Hammering a Needle in the Software Stack"
----- Forwarded message from Jerry Leichter
Georgi Guninski
Does Rowhammer work in clouds? According to the popular story it affected only laptops.
The answer is "it depends." Machines with ECC RAM make successful rowhammer attacks considerably harder, and meanwhile most cloud providers use ECC (e.g., Amazon uses ECC on all machines according to their FAQ). In fact, the Flip Feng Shui paper obliquely acknowledges that ECC helps to prevent the attack, but doesn't quantify beyond "we have observed that Rowhammer can occasionally induce multiple flips in a single 64-bit word" (\S 6.1.1). For a better idea of how much harder it makes things, let's have a look at another paper from USENIX Security this year, https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presen... There's a bit of decoding to do here: all of the evaluation in this paper uses machines that *don't* have ECC. Fortunately, we can extrapolate from figure 13(c). Remember that with ECC, one needs to flip 3 bits in a word to undetectably change the state of RAM: ECC will silently fix 1-bit errors and produce a machine check exception on a 2-bit error. How much harder is it to flip 1 bit than to flip 3? According to Fig. 13(c), it's ~30x harder to flip 2 bits than 1, and another ~30x harder to flip 3 bits than 2. As an aside: note that the attack the Xiao paper describes only works against Xen guests that *don't* use hardware-assisted page tables (EPT for Intel, NPT for AMD). If you're using hardware-assisted virtualization (e.g., most Amazon "HVM" instances), this particular attack won't work; others might, of course. So if you're paranoid about rowhammer in a cloud setting, one strategy is to monitor the MCE log and shut down any instance that's getting a lot of uncorrectable ECC errors, as this may indicate an active rowhammer attack. But my guess is that if someone is trying to pwn you with a cross-VM attack, they're going to use something like cache timing: it's harder to detect and probably easier to pull off, assuming your cloud box has ECC RAM. But as always, new discoveries might change the whole game. -=rsw
On 09/02/2016 12:21 AM, Riad S. Wahby wrote:
Georgi Guninski
wrote: Does Rowhammer work in clouds? According to the popular story it affected only laptops.
The answer is "it depends."
Machines with ECC RAM make successful rowhammer attacks considerably harder, and meanwhile most cloud providers use ECC (e.g., Amazon uses ECC on all machines according to their FAQ). In fact, the Flip Feng Shui paper obliquely acknowledges that ECC helps to prevent the attack, but doesn't quantify beyond "we have observed that Rowhammer can occasionally induce multiple flips in a single 64-bit word" (\S 6.1.1).
For a better idea of how much harder it makes things, let's have a look at another paper from USENIX Security this year, https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presen...
There's a bit of decoding to do here: all of the evaluation in this paper uses machines that *don't* have ECC. Fortunately, we can extrapolate from figure 13(c). Remember that with ECC, one needs to flip 3 bits in a word to undetectably change the state of RAM: ECC will silently fix 1-bit errors and produce a machine check exception on a 2-bit error. How much harder is it to flip 1 bit than to flip 3? According to Fig. 13(c), it's ~30x harder to flip 2 bits than 1, and another ~30x harder to flip 3 bits than 2.
As an aside: note that the attack the Xiao paper describes only works against Xen guests that *don't* use hardware-assisted page tables (EPT for Intel, NPT for AMD). If you're using hardware-assisted virtualization (e.g., most Amazon "HVM" instances), this particular attack won't work; others might, of course.
It also won't work if VMs don't share RAM, right?
So if you're paranoid about rowhammer in a cloud setting, one strategy is to monitor the MCE log and shut down any instance that's getting a lot of uncorrectable ECC errors, as this may indicate an active rowhammer attack. But my guess is that if someone is trying to pwn you with a cross-VM attack, they're going to use something like cache timing: it's harder to detect and probably easier to pull off, assuming your cloud box has ECC RAM.
But as always, new discoveries might change the whole game.
-=rsw
Mirimir
On 09/02/2016 12:21 AM, Riad S. Wahby wrote:
As an aside: note that the attack the Xiao paper describes only works against Xen guests that *don't* use hardware-assisted page tables (EPT for Intel, NPT for AMD). If you're using hardware-assisted virtualization (e.g., most Amazon "HVM" instances), this particular attack won't work; others might, of course.
It also won't work if VMs don't share RAM, right?
RAM sharing is necessary for the Razavi et al. attack. The Xen attack is from Xiao et al. -=rsw
On Thu, Sep 01, 2016 at 11:21:18PM -0700, Riad S. Wahby wrote:
Georgi Guninski
wrote: Does Rowhammer work in clouds? According to the popular story it affected only laptops.
The answer is "it depends."
Thanks. Just browsed through the paper, it mentions m$ azure. Is/has been some large cloud affected? Usually academics are afraid to name big vendors AFAICT. This is duplicate, but don't remember the answer: Can you induce RAM errors with some device if you are near the box? say directed magnetic field, human made cosmic rays substitute (don't know if this make sense).
participants (3)
-
Georgi Guninski
-
Mirimir
-
Riad S. Wahby