* Nethammer and kernel network drivers
@ 2018-06-02 3:46 procmem
2018-06-02 9:43 ` Greg KH
0 siblings, 1 reply; 7+ messages in thread
From: procmem @ 2018-06-02 3:46 UTC (permalink / raw)
To: kernel-hardening
Hello. I wanted to get your attention about a new, more serious
reincarnation of rowhammer called nethammer that doesn't need to execut
any code on the system like in the past nor does it leave a trace.
The summary of the paper is that rowhammer can be
remotely triggered by feeding susceptible* network driver crafted
traffic. This attack can do all kinds of nasty things such as modifying
SSL certs on the victim system.
* Susceptible drivers are those relying on Intel CAT, uncached memory or
the clflush instruction.
In absence of hardware mitigations, please identify and disable/fix
susceptible network drivers to avoid this type of attack. Thanks.
**
[0] https://arxiv.org/abs/1805.04956
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-02 3:46 Nethammer and kernel network drivers procmem
@ 2018-06-02 9:43 ` Greg KH
2018-06-02 13:57 ` procmem
0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2018-06-02 9:43 UTC (permalink / raw)
To: procmem; +Cc: kernel-hardening
On Sat, Jun 02, 2018 at 03:46:19AM +0000, procmem wrote:
> Hello. I wanted to get your attention about a new, more serious
> reincarnation of rowhammer called nethammer that doesn't need to execut
> any code on the system like in the past nor does it leave a trace.
>
> The summary of the paper is that rowhammer can be
> remotely triggered by feeding susceptible* network driver crafted
> traffic. This attack can do all kinds of nasty things such as modifying
> SSL certs on the victim system.
>
> * Susceptible drivers are those relying on Intel CAT, uncached memory or
> the clflush instruction.
>
> In absence of hardware mitigations, please identify and disable/fix
> susceptible network drivers to avoid this type of attack. Thanks.
Any hint as to how to identify such drivers? Have you looked into what
this would entail?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-02 9:43 ` Greg KH
@ 2018-06-02 13:57 ` procmem
2018-06-02 17:41 ` procmem
0 siblings, 1 reply; 7+ messages in thread
From: procmem @ 2018-06-02 13:57 UTC (permalink / raw)
To: Greg KH; +Cc: kernel-hardening
Hi. I asked one of the authors (Daniel Gruss) to give you more
insightful feedback as its more helpful in the matter.
Greg KH:
> On Sat, Jun 02, 2018 at 03:46:19AM +0000, procmem wrote:
>> Hello. I wanted to get your attention about a new, more serious
>> reincarnation of rowhammer called nethammer that doesn't need to execut
>> any code on the system like in the past nor does it leave a trace.
>>
>> The summary of the paper is that rowhammer can be
>> remotely triggered by feeding susceptible* network driver crafted
>> traffic. This attack can do all kinds of nasty things such as modifying
>> SSL certs on the victim system.
>>
>> * Susceptible drivers are those relying on Intel CAT, uncached memory or
>> the clflush instruction.
>>
>> In absence of hardware mitigations, please identify and disable/fix
>> susceptible network drivers to avoid this type of attack. Thanks.
>
> Any hint as to how to identify such drivers? Have you looked into what
> this would entail?
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-02 13:57 ` procmem
@ 2018-06-02 17:41 ` procmem
2018-06-03 6:31 ` Greg KH
0 siblings, 1 reply; 7+ messages in thread
From: procmem @ 2018-06-02 17:41 UTC (permalink / raw)
To: Greg KH; +Cc: kernel-hardening
Hello. Daniel provided more details on the problematic areas of the
kernel and I quote what he said verbatim:
> We have only found very outdated network drivers using clflush (old
> windows ndis code). On ARM there are many drivers using uncached memory.
> However, we have so far failed to produce enough memory traffic on ARM
> to trigger a bit flip with Nethammer on any ARM device.
> It should be possible though if you can make the ARM device handle
>> =300MBit/s.
> And that's the most plausible scenario.
>
> Anyway, searching for clflush or use of uncached memory is a good idea
> to locate the critical spots.
>
> Intel CAT is (we believe) not used anywhere yet. And we must be careful
> when it gets to the point where we introduce usage of CAT for QoS
> mechanisms.
>
> However, my intuition tells me that most systems are not even vulnerable
> to Rowhammer in the first place. Although the only prevalence studies we
> have suggest otherwise (they find 60-80% are affected).
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-02 17:41 ` procmem
@ 2018-06-03 6:31 ` Greg KH
2018-06-03 13:23 ` procmem
0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2018-06-03 6:31 UTC (permalink / raw)
To: procmem; +Cc: kernel-hardening
On Sat, Jun 02, 2018 at 05:41:09PM +0000, procmem wrote:
> Hello. Daniel provided more details on the problematic areas of the
> kernel and I quote what he said verbatim:
>
>
> > We have only found very outdated network drivers using clflush (old
> > windows ndis code). On ARM there are many drivers using uncached memory.
> > However, we have so far failed to produce enough memory traffic on ARM
> > to trigger a bit flip with Nethammer on any ARM device.
> > It should be possible though if you can make the ARM device handle
> >> =300MBit/s.
> > And that's the most plausible scenario.
> >
> > Anyway, searching for clflush or use of uncached memory is a good idea
> > to locate the critical spots.
> >
> > Intel CAT is (we believe) not used anywhere yet. And we must be careful
> > when it gets to the point where we introduce usage of CAT for QoS
> > mechanisms.
> >
> > However, my intuition tells me that most systems are not even vulnerable
> > to Rowhammer in the first place. Although the only prevalence studies we
> > have suggest otherwise (they find 60-80% are affected).
So Linux is not vulnerable to this at all? That's good to know, thanks
for following up with this.
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-03 6:31 ` Greg KH
@ 2018-06-03 13:23 ` procmem
2018-06-03 13:37 ` Greg KH
0 siblings, 1 reply; 7+ messages in thread
From: procmem @ 2018-06-03 13:23 UTC (permalink / raw)
To: Greg KH; +Cc: kernel-hardening
Greg KH:
> On Sat, Jun 02, 2018 at 05:41:09PM +0000, procmem wrote:
>> Hello. Daniel provided more details on the problematic areas of the
>> kernel and I quote what he said verbatim:
>>
>>
>>> We have only found very outdated network drivers using clflush (old
>>> windows ndis code). On ARM there are many drivers using uncached memory.
>>> However, we have so far failed to produce enough memory traffic on ARM
>>> to trigger a bit flip with Nethammer on any ARM device.
>>> It should be possible though if you can make the ARM device handle
>>>> =300MBit/s.
>>> And that's the most plausible scenario.
>>>
>>> Anyway, searching for clflush or use of uncached memory is a good idea
>>> to locate the critical spots.
>>>
>>> Intel CAT is (we believe) not used anywhere yet. And we must be careful
>>> when it gets to the point where we introduce usage of CAT for QoS
>>> mechanisms.
>>>
>>> However, my intuition tells me that most systems are not even vulnerable
>>> to Rowhammer in the first place. Although the only prevalence studies we
>>> have suggest otherwise (they find 60-80% are affected).
>
> So Linux is not vulnerable to this at all? That's good to know, thanks
> for following up with this.
>
> greg k-h
>
I interpreted this to mean that there is a major problem with ARM
drivers but the only backstop is the current gen of hardware being
underpowered. Also it would be best to put a kernel comment about sec
implications of Intel CAT for those who want to enable/use it IMHO.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Nethammer and kernel network drivers
2018-06-03 13:23 ` procmem
@ 2018-06-03 13:37 ` Greg KH
0 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2018-06-03 13:37 UTC (permalink / raw)
To: procmem; +Cc: kernel-hardening
On Sun, Jun 03, 2018 at 01:23:28PM +0000, procmem wrote:
>
>
> Greg KH:
> > On Sat, Jun 02, 2018 at 05:41:09PM +0000, procmem wrote:
> >> Hello. Daniel provided more details on the problematic areas of the
> >> kernel and I quote what he said verbatim:
> >>
> >>
> >>> We have only found very outdated network drivers using clflush (old
> >>> windows ndis code). On ARM there are many drivers using uncached memory.
> >>> However, we have so far failed to produce enough memory traffic on ARM
> >>> to trigger a bit flip with Nethammer on any ARM device.
> >>> It should be possible though if you can make the ARM device handle
> >>>> =300MBit/s.
> >>> And that's the most plausible scenario.
> >>>
> >>> Anyway, searching for clflush or use of uncached memory is a good idea
> >>> to locate the critical spots.
> >>>
> >>> Intel CAT is (we believe) not used anywhere yet. And we must be careful
> >>> when it gets to the point where we introduce usage of CAT for QoS
> >>> mechanisms.
> >>>
> >>> However, my intuition tells me that most systems are not even vulnerable
> >>> to Rowhammer in the first place. Although the only prevalence studies we
> >>> have suggest otherwise (they find 60-80% are affected).
> >
> > So Linux is not vulnerable to this at all? That's good to know, thanks
> > for following up with this.
> >
> > greg k-h
> >
>
> I interpreted this to mean that there is a major problem with ARM
> drivers but the only backstop is the current gen of hardware being
> underpowered.
Really? There are ARM servers now that can do really fast networking,
yet those drivers do not seem to have this problem from what I can see.
Am I missing something here?
> Also it would be best to put a kernel comment about sec implications
> of Intel CAT for those who want to enable/use it IMHO.
Patches are always gladly accepted :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-06-03 13:37 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-02 3:46 Nethammer and kernel network drivers procmem
2018-06-02 9:43 ` Greg KH
2018-06-02 13:57 ` procmem
2018-06-02 17:41 ` procmem
2018-06-03 6:31 ` Greg KH
2018-06-03 13:23 ` procmem
2018-06-03 13:37 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.