RAMBLEED - rowhammer exploit can read memory

https://rambleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0174

Not known to have been exploited in the wild.

RAMBleed uses Rowhammer for reading data stored inside the computer's physical memory. As the physical memory is shared among all process in the system, this puts all processes at risk.

RAMBleed relies on Rowhammer-induced bit flips to read privileged memory. As such, any system that uses Rowhammer-susceptible DIMMs is vulnerable. Previous research has demonstrated bit flips on both DDR3 and DDR4 with TRR (targeted row refresh) enabled. While we demonstrated our attack on a desktop machine and an ECC enabled server machine, Rowhammer attacks have been demonstrated against both mobile devices and laptops. As such, we suspect that many classes of computers are susceptible to RAMBleed.

Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. While Rowhammer-induced bit flips have been demonstrated on TRR, it is harder to accomplish in practice.

Memory manufacturers can help mitigate this issue by more rigorously testing for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR implementations will facilitate a stronger development process as security researchers probe such implementations for weaknesses.

2 Likes

Oo great. A threat that date back to 2016. And still a threat now. WTF.

Ok. About the TRR part. Is this something that enable and disable by the kernel or motherboard? This part remain unclear to me.

it's enabled by checking with the manufacturer to see if your current sticks have it and buying different ram if they don't.

It seem I don't need to worry about this on my 3 computer. Main computer used desktop ddr 4. My intel nuc used laptop ddr 4. Laptop used LPDDR3. Tested all three them using MemTest86 (Hammer Test). All 3 pass without any error.
Unless the hammer test was the wrong one. Then IDK. And no. I'm not contacting manufacturer when they don't even list the damn TRR as a feature.

Another possible mitigation is the use of memory encryption on newer AMD/Intel systems.

DDR4 also seems to be concerned, it's just more difficult to exploit ("we do not suspect DDR4 to be a fundamental limitation").

Care to explain how to that? I'm sure I can do it on my Ryzen 2700x. But unsure if that can be done on my Intel nuc skylake.

lscpu | grep sme
see if it turns up roses
(sme is secure memory encryption - it should be enabled by bios or firmware)

Hmm.. Did some digging and it looks like its a combo ..
First you need hardware that supports it.
Then your BIOS/firmware needs to enable it.
Then, depending on if your BIOS merely 'enables' SME but does not 'activate' it you can tell the kernel to do so (kernel support SME) by using this in grub params:

mem_encrypt=on

[I have done no testing - this is just some docs regurgitation]

Will. I got it working. So far. The one downside is nvidia driver don't work. I had to switch to nouveau. :slightly_frowning_face::cry:

[Update]
Fix most my issue with nouveau my switching to modesetting + compton

compton -CGzb --backend xr_glx_hybrid --vsync opengl-mswc --vsync-use-glfinish --paint-on-overlay --unredir-if-possible --glx-no-rebind-pixmap --glx-swap-method buffer-age --glx-swap-method 5 --xrender-sync --xrender-sync-fence

[Compton Update 2]

compton -CGb --backend glx --vsync opengl --vsync-use-glfinish --xrender-sync-fence --unredir-if-possible --glx-no-stencil --glx-no-rebind-pixmap --glx-swap-method copy --glx-swap-method -1 --refresh-rate 75

I upgrade compton. So I made some change over my old setup. I would have used --vsync opengl-swc. But it run really bad on my dual monitor set up. If you have single monitor. Then --vsync opengl-swc will be a great option. I add refresh rate change. So this way I can keep both monitor at max refresh rate 60 without it feeling like it dropping frames.

And I hope this is my last compton change. This is so much closer to using nvidia driver now.


Not sure if having two different --glx-swap-method is doing anything. But I been playing around with it.