Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Data Storage Bug Security

SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com) 93

An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.

The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.

The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.

This discussion has been archived. No new comments can be posted.

SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data

Comments Filter:
  • by Chris Katko ( 2923353 ) on Saturday May 27, 2017 @06:35PM (#54499241)

    ...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.

    I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over? (Kind of like the bad old days of exceeding your RAM and thrashing everything to a page file as your heads go CLICK CLICK CLICK CLICK.)

    Come to think of it, I wonder if you could VARY the read/write speed of a hard drive by changing your write patterns. So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.

    • I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over?

      The heads already scream back and forth on normal operation. If you create write patterns that increase head moves, I do not expect to see something else that trashed I/O performances.

    • by Mozai ( 3547 ) on Saturday May 27, 2017 @07:48PM (#54499441) Homepage
      We used to do that ON PURPOSE. It's wasn't mechanical failure, it was an undocumented feature. http://www.catb.org/~esr/jargo... [catb.org]
    • by Kjella ( 173770 )

      ...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.

      Assuming you got access to anything valuable with the process you're running as. The point of rowhammer was that you could flip bits in other processes, Imagine for example if you have found an exploit in the web server but all it has access to is public files but you could flip the permission bits on /etc/passwd to be world readable that would be a pretty big exploit. If you can use a "harmless" service running as a non-privileged user to create a denial-of-service attack, that surely has some value too.

      • I don't think that has a realistic chance of working -- filesystems tend to write file contents in difficult to predict geographical locations.

        I think what would be more realistic is using this as a hypervisor escape.

        Even then, I'm curious how this attack is supposed to work now that most SSDs use wear leveling.

    • by tlhIngan ( 30335 )

      ...I don't think it has much real-world worry.

      There is no real world practical worry for this.

      This hack relies on the ability to rewrite specific pages in NAND flash. In fact, the attack is well known in NAND flash - read and write disturbs are documented issues with NAND flash since the beginning. Every NAND flash datasheet mentions how you can and cannot program it in order to minimize the probability of disturbs. It's why NAND flash has the "spare area" - because even following the recommendations (alway

      • by swb ( 14022 )

        Storage access is mediated on so many levels that even vendors have a hard time identifying whether even relatively simple performance problems are the result of an application, the application subsystem (databases), the operating system, the network system, the storage system, the storage fabric or the computer system.

        I don't see how it would ever be possible to exploit this, especially when the flash vendors are aware of it and the closest software levels of the hardware are deliberately written in ways t

    • ...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.

      What if you're running a virtual instance on a cloud platform, and somebody else is running another virtual instance on the same platform, sharing the same physical memory and SSD ?

      • Then this attack would be impossible obviously. You need direct access to the hardware in order to control the bit pattern. In the scenario you are talking about you are using a filesystem to write data, and one of several kernels as well. Your reads and writes are cached by the OS and you have no control over the order of your reads and writes and the reads and writes of the other virtual machines. Your memory writes, while they appear to be at linear ranges you specify, are virtual. That's why it is ca
    • So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.

      Although this would be interesting, just like the SSD exploit, I'm not sure how useful it would really be in the real world. Drives are pretty cheap. Loss of data is the big deal and if you have physical access to the system then randomly writing to the drive or formatting the drive seems like the simplest and easiest way to destroy the data.

  • TFA is not very detailed, it seems the journalist had a hard time explaining what the scientists did. Anyone has a better link?
  • Hammers (Score:2, Informative)

    by Anonymous Coward

    In other news SSDs are susceptible to actual hammers as well, no work around has been found.

  • The link summarizes a paper presented 4 months ago in the HPCA'17 conference in Austin, why is this "news" now?

  • "Writing this data repeatedly and at high speeds causes errors in the SSD"

    Why is this allowed to happen? Why isn't the write speed limited if abusing it can cause errors? How can this be an allowed operation? Since the drive is under complete control of its own firmware, why is this operation allowed to proceed or even take place?

    "an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SS

Friction is a drag.

Working...