On Fri, Sep 02, 2016 at 10:56:10AM -0400, Jerry Leichter wrote:

...

Why bother with patching public keys, making them amenable to factorization, if you can patch executable code instead?

If you can target executable code (and I see why not, it's all the same to KSM), it is very clear that there cannot be a software-only defense.... The technique cannot be aimed exactly: You can flip some unpredictable, uncontrollable subset of the bits in a word. (The vulnerability of particular bits is dependent on physical variations in the memory cells.)

...

Attacks against the executable code are certainly the worst case, and you might be able to find security-sensitive but very rarely executed code to attack. But this is likely much harder to pull off than the attack outlined here.

Flipping random bits in a word at chosen location is very powerful primitive. I am taking bets that it is moderately easy to exploit via many vectors. Flipping random bits of zero word make it nonzero. In a boolean context, this flips False and True, screwing the logic. eg in: if(is_root || is_authorized) give_em_power(); else drop_em();