ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All
Where many people thought that high-end servers were safe from the (unpatchable) Rowhammer bitflip vulnerability in memory chips, new research from VUSec, the security group at Vrije Universiteit Amsterdam, shows that this is not the case. Since prominent security researchers and companies have suggested that ECC provides pretty good protection [1,2,3], and exploitable bitflips on ECC memory are seen by many as the “unholy grail” for Rowhammer attacks, the new attack to reliably flip bits that completely bypass ECC protection is a major step forward in Rowhammer research.
To answer the research question above, we first needed to fully understand how ECC is implemented. Unfortunately, this is not trivial. In general, CPU manufacturers omit details of ECC implementation. In addition, the closed nature of hardware makes our task even more difficult. Thus, we first reverse engineered several ECC implementations and showed their guarantees. This part of the work was pretty crazy and involved freezing memory chips and transplanting them (“cold boot attack”), sticking syringe needles into the sockets of memory modules to inject errors, and many other techniques besides. Long story short, after a year of probing and analyzing, we finally understood how ECC memory worked in detail.