On 09/02/2016 12:21 AM, Riad S. Wahby wrote: > Georgi Guninski <[email protected]> wrote: >> Does Rowhammer work in clouds? According to the popular story it >> affected only laptops. > > The answer is "it depends." > > Machines with ECC RAM make successful rowhammer attacks considerably > harder, and meanwhile most cloud providers use ECC (e.g., Amazon uses > ECC on all machines according to their FAQ). In fact, the Flip Feng > Shui paper obliquely acknowledges that ECC helps to prevent the attack, > but doesn't quantify beyond "we have observed that Rowhammer can > occasionally induce multiple flips in a single 64-bit word" (\S 6.1.1). > > For a better idea of how much harder it makes things, let's have a > look at another paper from USENIX Security this year, > > https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/xiao > > There's a bit of decoding to do here: all of the evaluation in > this paper uses machines that *don't* have ECC. Fortunately, we can > extrapolate from figure 13(c). Remember that with ECC, one needs to > flip 3 bits in a word to undetectably change the state of RAM: ECC > will silently fix 1-bit errors and produce a machine check exception > on a 2-bit error. How much harder is it to flip 1 bit than to flip > 3? According to Fig. 13(c), it's ~30x harder to flip 2 bits than 1, > and another ~30x harder to flip 3 bits than 2. > > As an aside: note that the attack the Xiao paper describes only works > against Xen guests that *don't* use hardware-assisted page tables > (EPT for Intel, NPT for AMD). If you're using hardware-assisted > virtualization (e.g., most Amazon "HVM" instances), this particular > attack won't work; others might, of course.
It also won't work if VMs don't share RAM, right? > So if you're paranoid about rowhammer in a cloud setting, one strategy > is to monitor the MCE log and shut down any instance that's getting > a lot of uncorrectable ECC errors, as this may indicate an active > rowhammer attack. But my guess is that if someone is trying to pwn > you with a cross-VM attack, they're going to use something like > cache timing: it's harder to detect and probably easier to pull off, > assuming your cloud box has ECC RAM. > > But as always, new discoveries might change the whole game. > > -=rsw >
