
Rowhammer-like attack on SSDs can provide root privileges to attacker - el_duderino
http://www.myce.com/news/ibm-researchers-rowhammer-like-attack-ssds-can-provide-root-privileges-attacker-82386/
======
ericseppanen
The full paper is here:
[https://www.usenix.org/system/files/conference/woot17/woot17...](https://www.usenix.org/system/files/conference/woot17/woot17-paper-
kurmus.pdf)

I am unconvinced. They have not demonstrated an attack on any real-world SSD;
instead they have attacked their own FPGA-based design.

The attack assumes that you can control or predict the physical location of
data on an SSD, which is unlikely on a system that is doing other I/O.

But worst of all, the "attack" assumes that if you can target the right
physical block/pages in flash, you can somehow hit that location with
sufficient read-disturb that the result will decode successfully, AND pass ECC
checks, meaning the resulting bad data will be returned to the host system.

I am highly skeptical that this could ever work on a real SSD. The combination
of BCH/LDPC error-correction codes combined with a final checksum should make
"random bit flipping" impossible to leverage.

Oh, and there's one more thing: SSD firmware keeps counters, to ensure that
read disturb can't corrupt data. Any read pattern that hammers a particular
location will trigger garbage collection or data rewrite to a fresh location.

~~~
akurms
Author here, I would like to set the record straight.

We do not claim to have an attack on SSDs. The journalist seems to have
misunderstood and not read the paper. The attack demonstrated is not on an
FPGA or SSD.

The main point this paper makes and demonstrates is that if you can cause
corruption of a full block (i.e., completely garble contents of a chosen
block), then you can elevate privileges (with some assumptions, like using
ext3). Note that this result does not depend on whether you are using an SSD,
a disk, or any other storage for your filesystem.

~~~
ericseppanen
Are you claiming that a random-bit-flipping attack such as targeted read
disturb can cause corrupted data to be returned even through data scrambling,
a first-level LDPC check and a final CRC check on the output?

From your paper: "We assume that the victim system runs a filesystem on top of
MLC NAND flash-based SSD."

It seems very naive to be surprised that people would assume this is an attack
on SSDs.

~~~
fulafel
The flash weakness is clearly documented as just being part of their threat
model, not part of their research. They say that their contribution is in the
filesystem part of the attack, to build on a weakness proposed by a previous
flash layer focued paper. So this is completely OK.

If you want to critique the flash paper, or how this paper represents that
papers findings, you should turn your attention to:

Yu Cai, Augata Ghose, Yixin Luo, Ken Mai, Onur Mutlu, and Erich Haratsch.
“Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis,
Exploits, and Mitigation Techniques”. In: 23rd IEEE International Sympo- sium
on High Performance Computer Architecture . 2017.

I found a PDF link too:
[https://pdfs.semanticscholar.org/b9bc/a3c9f531002854af48de12...](https://pdfs.semanticscholar.org/b9bc/a3c9f531002854af48de121cdcc8e0520c7f.pdf)

~~~
ericseppanen
I agree the earlier paper shares the same misconceptions.

I don't agree that the authors of the present paper are exempt from criticism
for this reason.

------
dmitrygr
This is idiocy. Modern drives AES encrypt data to provide whitening. You do
not have the key nor do you set it or care for it. Without it you'll not be
able to pull this off. Their attack will only work on very old SSDs that do
not whiten data. All modern MLC/TLC chips REQUIRE whitening and AES is often
used since it whitens well and is fast.

~~~
burkaman
This would be a much more productive comment if you took out the first
sentence.

~~~
wyager
I think the meme of "never say anything harsh lest you make someone sad" is
counterproductive. It's very important to productive discourse that people are
able to express the entire range of _intensity_ with which they may feel an
opinion. In particular, if something is stupid you should be able to say so.

~~~
burkaman
You can be as harsh as you need without being a dick. Just address the content
and what's wrong with it, not how stupid you think the author is. On the very
rare occasion that it's useful to talk about someone's intelligence, you
should say more than "you're an idiot".

~~~
jtbayly
Maybe you're not aware that in English there is a difference between saying
"You're an idiot." and "This is idiocy."

~~~
burkaman
I don't want to get into an argument about definitions or semantics. Those
phrases are different, but they come across similarly to me and many others,
at least in this context. That's really all that matters in a casual
discussion like this.

I understand not everyone will have the same reaction. I don't pretend to
speak for everyone, but I suspect I speak for the majority.

------
wmf
Mods, please change URL to original source:
[https://www.usenix.org/conference/woot17/workshop-
program/pr...](https://www.usenix.org/conference/woot17/workshop-
program/presentation/kurmus)

~~~
groupmonoid
This really needs to be done. The journalist's article has nothing to do with
the paper (I do not think the journalist read the paper)

~~~
heisenbit
They may have read but they clearly did not understand. Looks like they
realized it now:

> Update: Our reporting was incorrect, here is a comment from the author of
> the report: “Author here, I would like to set the record straight.We do not
> claim to have an attack on SSDs. The journalist seems to have misunderstood
> and not read the paper. The attack demonstrated is not on an FPGA or SSD.
> The main point this paper makes and demonstrates is that if you can cause
> corruption of a full block (i.e., completely garble contents of a chosen
> block), then you can elevate privileges (with some assumptions, like using
> ext3). Note that this result does not depend on whether you are using an
> SSD, a disk, or any other storage for your filesystem.”

------
X-Istence
Google cache as it seems to be offline for me:
[http://webcache.googleusercontent.com/search?q=cache:LREtpAA...](http://webcache.googleusercontent.com/search?q=cache:LREtpAAixkMJ:www.myce.com/news/ibm-
researchers-rowhammer-like-attack-ssds-can-provide-root-privileges-
attacker-82386/+&cd=1&hl=en&ct=clnk&gl=us)

------
Teknoman117
If such an attack were able to reliably set data in a flash device, could this
be defeated by whole disk encryption and block checksums? Whole disk
encryption would be to counter the ability to set precise values (checksums
would be no use if you could just set a correct one in your attack) and then
checksums to detect, well, data corruption?

------
pkaye
I couldn't get access to the video. How do they work around the error
correction and wear leveling algorithms?

~~~
alternateben
They don't. I was at the presentation. It assumes that the target FS is ext3
and one has bypassed the mitigations you mention and any others that get in
the way. Mention is made of previous generation SSD tech that was vulnerable
to charge leakage during IO to adjacent cells.

~~~
rhizome
Assuming a spherical SSD...

