Watering Down Rowhammer Failures is a Mistake

Dear Passmark Team,

I have been using Memtest86 for the past 10+ years. I have always respected it as an independent, freely available, third party tool.

This latest 6.2.0 release, however, is bending over for the memory vendors who have been trying to hide this problem for years. This problem is to DDR as to what the floating point problem was to Pentium. Just because memory vendors reply arrogantly is no reason to change the test outcomes. Data corruption is data corruption. And worst case, obviously, is any legal code that causes the system to corrupt data--not their opinion of worst case. We have seen it from Kim's code, two variations from Google that can take control of a machine (security issue), and at least one version that works on simple javascript.

A test that reveals data corruption that could crash the OS, write bad data to drives, and/or leave an open security hole is simply not acceptable. The only reasonable mitigation is DRAM replacement or BIOS updating that allows for more frequent refreshing.

In my opinion, helping the industry hide the severity of this problem is outside the spirit of the original Memtest86 charter. To identify hard to find bugs in the shortest period of time.

I hope that you guys reconsider. And in fact, I'd like to see more emphasis in the area of Rowhammer type tests. I'd rather know more about system failures and be my own judge.

-Dave

It is a balancing act.

The row hammer algorithm is artificial, especially the cache flushing part. So having similar memory access patterns in real software isn't common. It isn't impossible either however.

I haven't seen any variant of it that can work effectively in Javascript however. I doubt it is possible to generate high row hammer rates from Javascript (as you don't have the low level access to flush the case, or get the system information to determine the possible row sizes).

Scaring people unnecessarily isn't a good thing. We don't really want to report errors that the user will never encounter. Especially novice users who don't have a deep understanding of the situation. We think the 6.2 changes represent a reasonable attempt at providing accurate results.

Also you can still see all the row hammer errors by setting the REPORTNUMWARN flag in the configuration file (basically keeping the original behavior, except for the labeling change).

Disagree 100%

David,

I respectfully, but strongly disagree. Please see my comments below:

"It is a balancing act.

The row hammer algorithm is artificial, especially the cache flushing part. So having similar memory access patterns in real software isn't common. It isn't impossible either however."

This new Rowhammer test is no more artificial than any other test in your list. If it's written using code that can be written and compiled then it is real. How can you call this artificial? As pointed out in earlier documentation of Rowhammer, it's also observable using semaphores, which do A LOT of cache flushing natively.

"I haven't seen any variant of it that can work effectively in Javascript however. I doubt it is possible to generate high row hammer rates from Javascript (as you don't have the low level access to flush the case, or get the system information to determine the possible row sizes)."

Have you been on vacation the past couple months?

http://motherboard.vice.com/read/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen

"Scaring people unnecessarily isn't a good thing. We don't really want to report errors that the user will never encounter. Especially novice users who don't have a deep understanding of the situation. We think the 6.2 changes represent a reasonable attempt at providing accurate results."

Yes, scaring people about a real hardware problem that can be a security exploit is not necessarily a good thing. Especially for the memory and system vendors who don't want to address this issue or return damaged product. Since Kim's discovery, there have been 3 real world exploits of this problem PUBLICLY announced. How many hackers are working on this in private? I'm willing to err on the side of caution and guess quite a few.

This is a political issue for sure. But as a diagnostic, most of us simply want to know pass or fail. And this "balance" you speak of seems lopsided towards the hardware folks.

-Dave

I skimmed the JS paper. The researchers found one machine (just one) that exhibited an error with a single version of Firefox. To do this they also needed to run a native application outside of the browser to track memory accesses from the Firefox process, then hard code the addresses into the script. One machine with a RAM error doesn't make for a global crisis.

They didn't test other browsers, they didn't test any AMD systems & they failed to provoke the problem on the other two Intel systems they tested without manual modification to the BIOS settings to slow the refresh rate. They also failed to mention the obvious countermeasures of ECC RAM and the pTRR/TRR (Pseudo Pseudo Target Row Refresh) solution which is already be implemented in newer server CPUs.

They also pointed out that native code (like MemTest86) provokes errors at a rate which is at least an order of magnitude higher than JS. So MemTest86 should still easily pickup machines that are vulnerable to the JS implementation.

(And again, you can still have the old behaviour, with the REPORTNUMWARN flag)

I think Third I/O's comments on this subject are highly relevent... http://www.thirdio.com/rowhammer.pdf

I would like to see PassMark comment on the current state of Row Hammer... it would also be an idea for PassMark to leave users the option of configuring it to anonymously uploading data about errors encountered that could be used statistically to enhance MemTest86 and help the developers id which tests fail most often and therefore which they need to enhance to help users save time and narrow down the errors encountered ( just an idea).