From: Georgi Guninski <guninski@guninski.com>
On Wed, Sep 16, 2015 at 08:03:54PM +0000, jim bell wrote:
>> I don't think the concept of this kind of weakness is new: Even in 1980, DRAMs were tested for such repeated accesses, to ensure that such >>errors would not occur. This was particularly true for a process called "device characterization", in which chips were attacked in all manner of >>electronically-abusive ways, to uncover these weaknesses, and fix the circuit design should such flaws be uncovered. One way these >>techniques could be thwarted is to return to the use of parity-bits (8+1 parity) in memory access, in DRAM module and computer design, to >>whatever extent they are no longer used. Any (successful) attempt to modify bits in a DRAM would quickly end up causing a parity error, >>which >would at least show which manufacturer's DRAM chips are susceptible to this kind of attack. A person who was forced to use a no->>parity >computer could, at least, limit his purchases of such modules to those populated with DRAMs not susceptible to the problem.
>> Jim Bell
>I don't understand hardware and have some questions
>The POC appears non-deterministic per the nature of the bug.
I assume POC means "proof of concept". Yes, the error is non-deterministic. It arises from the fact that bits are stored as different voltages on individual capacitors in a chip, one capacitor per bit. Think of a "0" as being zero volts, 1 is Vcc volts, where Vcc (the supply voltage to the chips) is usually 3 volts. This represents a healthy difference, and could easily be detected. The problem is that the chip can't have one voltage detector for each bit; usually there are about 1048 bits per voltage comparator. When a given row needs to be read, the Row Address line activates, and those 1048 bits are each connected to their corresponding "bit line", which is a tiny electrical conductor with a capacitance much greater than that of the individual bit-cell (capacitor). The resulting voltage difference between a "one" and a "zero" bit might be only a few tens of millivolts, which is rather small. Then, the voltage detector amplifies the voltage difference, to restore it to either GND (0 volts) or Vcc.
>1. If I run the POC for time X and it fails, does
>this mean it will fail if I run it for time 100 X?
It's statistical. Probably the number of failures will be approximately proportional to the number of disturb-cycles done.
>2. Does increasing the temperature in the box
>(near or above overheating) increase the chance for
>success?
Perhaps just a little. Refreshing of an entire memory array is done once each 64 millisecond. (Used to be 2 millisecond in the 1970s.) It is said that many tens of seconds can elapse before any given bit is disturbed, if refresh is turned off. There should be a lot of margin for loss of refresh, or an inadequate amount of refresh.
>3. If you have computer near you, can you induce bit
>flips on purpose remotely, without executing code on
>it? (lol, AFAICT if you wait looooong enough cosmic rays
>will this for you for free, but I am asking about
>realistic attack).
I don't think an external attack (with particles) is plausible.