Announcement

Collapse
No announcement yet.

Blacksmith: Rowhammer Fuzzer with 100% success rate

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Blacksmith: Rowhammer Fuzzer with 100% success rate

    About 2 months ago, Comsec security researchers published research which used a fuzzer based Rowhammer named Blacksmith to trigger bitflips across all 40 modules they tested (ArsTechnica writeup). They don't release which memory modules they tested, but their sample included memory from every major manufacturer.

    The publicly released software is (unfortunately) hardcoded to the Intel Coffee Lake architecture. My test rig runs on AMD and I only use ECC and I'm nearly perfectly ignorant on how this works on the hardware level, but my understanding is that it requires reverse engineering for each architecture (see also: Packaging for GUIX ticket, Python matrices generator script gist, IAIK/Drama, and vusec/trrespass/drama).

    All of the above is liberally licensed (MIT, Apache, or Unlicense) and it would be nice to see it packaged up in a commercial offering like Memtest86.

  • #2
    Good rowhammer code is much much easier to write if you only limit yourself to one type of memory manager (1 CPU model), one RAM configuration (e.g. 1 single stick in a particular slot), one particular BIOS configuration (1 motherboard) and one type of RAM (e.g. DDR4). Plus their test took 12 hours to run just for row hammer.

    For example it is trivial to get extra bit flips by increasing the BIOS refresh period in BIOS. And equally trivial to reduce them by reducing the period.

    In the real world there is a huge amount of variation.

    .

    Comment


    • #3
      You may be interested in this comment by an author of Blacksmith in which they discuss generalizing their approach. They are also not exactly impressed with your ROWHAMMER test....

      Comment


      • #4
        That discussion seems to be for Memtest86+ (with a plus, which is a different piece of software). Or at the very least the author of that post is confused about the naming.
        As far as I know the author hasn't seen our source code, nor tested the software against real RAM with row hammer issues nor even used the software before making his judgement.

        But nonetheless the earlier comments in that thread from Sam Demeulemeester (x86fr) are spot on. This comment in particular.
        "...we will have a hard time to tune the code to get a "universal" implementation. If we go too far on the "hardness" of the attack, we will report "false" errors (= which will never cause any issue in real-world application) everywhere".

        The goal is NOT to fail every RAM stick. If we did that it would lead to two outcomes.
        1) Initially complete industry chaos, as pretty much all large RAM manufacturers & IT department are using Memtest86
        2) Loss of faith in the Memtest86 tool. If everything fails, then clearly the tool is wrong, as 99% of RAM is actually fine in real life usage.

        Also we have made a lot of progress with memory address decode over the last few months. This should allow us to precisely target rows in row hammer in a way that would be superior to all other row hammer options (i.e the guess work is removed, there is no long pattern generation step and it works for more than a single CPU model). But once row hammer gets this good, it's not so useful for memory testing and is a lot more useful for development of malicious malware. i.e we have left the domain of memory testing and we are into security testing. And this isn't our priority.

        Comment

        Working...
        X