SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com) 93
An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.
The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.
The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.
The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.
The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.
Re: (Score:1)
Let me guess. You hate the "experts" and the "elites"? Let's "tear it all down"? A hop and a skip from Trumpnik thinking, and look how that's going.
Re: (Score:1)
Such as waiting for state-sponsored cybercriminals or intelligence agencies to discovery these things first, or someone to unintentionally trip them with a programming error?
Re: (Score:1)
Re: (Score:2)
That's a real garbage answer.
Re:Waste of time (Score:5, Insightful)
Because, you jackass, the discovery of flaws is what allows continuous improvements to be made. I mean, let's NOT find ways to make cars safer by readily exploring all opportunities to keep children safe in the event of a car crash. Let's NOT fund avionics to improve QOL where air flight is concerned. Let's NOT safeguard data to keep sensitive information that our enemies can use to dismantle our way of life our of their hands.
Why don't you tell us what you do that's "useful" on a day-to-day basis. And make it a good one, because it's gotta be something that benefits society as a whole.
What with you being so elite and all.
Re: (Score:2)
In this case there isn't really any way to improve them. Read and write disturbs are a well-known phenomenon that can't be solved at the physical level. That's why bits stored in flash are distributed in space and time, with both the hardware and the flash controllers acting to minimise the problems due to disturbs. My guess is that these guys reverse-engineered the mechanisms used for one particular flash technology and figured out the access patterns needed to induce disturbs.
The workaround would be to
Re: (Score:2)
How the fuck does anyone offer NAND storage without error correction? WTF?!
Re: (Score:2)
Why don't you tell us what you do that's "useful" on a day-to-day basis. And make it a good one, because it's gotta be something that benefits society as a whole.
His endless trolling provides lulz to Slashdot users the world over.
Re: (Score:2)
Because of this comment, you should not be allowed to benefit from SSD drives that aren't vulnerable to these attacks. Maybe a bit would be flipped in your bank account balance, or at least a critical part of your computer's partition table.
Re: (Score:2)
Like post worthless shit on Slashdot?
While this is certainly of research importance... (Score:5, Interesting)
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over? (Kind of like the bad old days of exceeding your RAM and thrashing everything to a page file as your heads go CLICK CLICK CLICK CLICK.)
Come to think of it, I wonder if you could VARY the read/write speed of a hard drive by changing your write patterns. So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.
Re: (Score:2)
Re: (Score:2)
I do wonder, is there such an equivalent vulnerability in platter drives? Writing rapidly to the inside and outside of the platter so the heads scream back and forth over and over?
The heads already scream back and forth on normal operation. If you create write patterns that increase head moves, I do not expect to see something else that trashed I/O performances.
Re:While this is certainly of research importance. (Score:5, Interesting)
Re: (Score:3)
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
Assuming you got access to anything valuable with the process you're running as. The point of rowhammer was that you could flip bits in other processes, Imagine for example if you have found an exploit in the web server but all it has access to is public files but you could flip the permission bits on /etc/passwd to be world readable that would be a pretty big exploit. If you can use a "harmless" service running as a non-privileged user to create a denial-of-service attack, that surely has some value too.
Re: (Score:3)
I don't think that has a realistic chance of working -- filesystems tend to write file contents in difficult to predict geographical locations.
I think what would be more realistic is using this as a hypervisor escape.
Even then, I'm curious how this attack is supposed to work now that most SSDs use wear leveling.
Re: (Score:3)
There is no real world practical worry for this.
This hack relies on the ability to rewrite specific pages in NAND flash. In fact, the attack is well known in NAND flash - read and write disturbs are documented issues with NAND flash since the beginning. Every NAND flash datasheet mentions how you can and cannot program it in order to minimize the probability of disturbs. It's why NAND flash has the "spare area" - because even following the recommendations (alway
Re: (Score:3)
Storage access is mediated on so many levels that even vendors have a hard time identifying whether even relatively simple performance problems are the result of an application, the application subsystem (databases), the operating system, the network system, the storage system, the storage fabric or the computer system.
I don't see how it would ever be possible to exploit this, especially when the flash vendors are aware of it and the closest software levels of the hardware are deliberately written in ways t
Re: (Score:3)
...I don't think it has much real-world worry. If you're running an intentionally malicious program on your computer, you've got far worse problems. A SSD is one device. A single credit card number is worth thousands of dollars to you and possibly dozens of hours of your valuable time to fix.
What if you're running a virtual instance on a cloud platform, and somebody else is running another virtual instance on the same platform, sharing the same physical memory and SSD ?
Re: (Score:2)
Re: (Score:2)
So if you can get the heads to swing at a certain frequency, you could start a resonant oscillation of the heads which, if tuned right, would cause a complete mechanical failure.
Although this would be interesting, just like the SSD exploit, I'm not sure how useful it would really be in the real world. Drives are pretty cheap. Loss of data is the big deal and if you have physical access to the system then randomly writing to the drive or formatting the drive seems like the simplest and easiest way to destroy the data.
Better summary (Score:2)
Hammers (Score:2, Informative)
In other news SSDs are susceptible to actual hammers as well, no work around has been found.
Re: (Score:2)
Pfft. Put a hard steel frame with sufficient thickness around them, done.
Re: (Score:1)
Re: (Score:2)
No, no. It's the Department of Redundancy Department. Sheesh!
Re: (Score:2)
Not at all. The only thing that can be achieved here is obvious data corruption (i.e. reliably detected by the SSD). Encryption has no impact on that.
4 months old news (Score:2)
The link summarizes a paper presented 4 months ago in the HPCA'17 conference in Austin, why is this "news" now?
Re: (Score:2)
Re: (Score:2)
Indeed. Rowhammer was silent data changes that could be used for attacks. This is very obvious data corruption, and only if the design of the SSD is pretty bad. The whole comparison is pretty stupid.
How can that happen? (Score:2)
"Writing this data repeatedly and at high speeds causes errors in the SSD"
Why is this allowed to happen? Why isn't the write speed limited if abusing it can cause errors? How can this be an allowed operation? Since the drive is under complete control of its own firmware, why is this operation allowed to proceed or even take place?
"an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SS