11

Many memory modules from different manufacturers have been tested for vulnerability to the Rowhammer exploit. However, some researchers have anonymised their results, possibly for responsible disclosure reasons. Are there any reputable sources keeping track of the result of these tests? All I could find so far is:

Related to How to know whether a RAM module is vulnerable to rowhammer before buying?.

forest
  • 64,616
  • 20
  • 206
  • 257
l0b0
  • 2,981
  • 20
  • 29
  • Possible duplicate of [How to detect Rowhammer vulnerability?](http://security.stackexchange.com/questions/135699/how-to-detect-rowhammer-vulnerability) – Yorick de Wid Sep 02 '16 at 13:38
  • 1
    @YorickdeWid No, it's not a duplicate. The other question is about **detecting** vulnerability, this is about which hardware has already been shown to be safe/unsafe. One is about what I can do about hardware I own, the other is about basically every piece of hardware out there. – l0b0 Sep 02 '16 at 13:40
  • 1
    [Google](https://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) clearly stated that they did not anonymized the result because of some responsible disclosure as you state, but because a meaningful result would require to test a massive number of devices of each model in order to be able to generalize anything pertaining to this model (given two device of the same model may not have the same resistance against this attack). The only remaining thing are pro-active measures taken by constructors, but this is already covered in your linked topic. – WhiteWinterWolf Sep 02 '16 at 16:58
  • 2
    You cannot judge if the system is vulnerable only by memory models because the issue should be already mitigated by motherboard vendors increasing the refresh rates either in bios updates or advising users to do that in configuration. – KOLANICH Oct 08 '16 at 20:59
  • KOLANICH points out solution #3 of the paper's six potential solutions. He's also correct that looking for a manufacturer is probably a moot point unless you have a sea of servers you need to maintain, and need to figure out which ones need a BIOS update. Otherwise, you should be updating BIOS when you server manufacturer releases a firmware update that contains security fixes. – DrDamnit Aug 04 '17 at 17:33

1 Answers1

2

The research paper itself which uncovered this did not specifically identify the manufacturers by name. In fact, they anonymized them on purpose. Suffice it to say that it would be reasonable to assume it was the majority of DRAM modules that have been recently manufactured:

From the paper:

As listed in Table 3, we tested for disturbance errors in a total of 129 DDR3 DRAM modules. They comprise 972 DRAM chips from three manufacturers whose names have been anonymized to A, B, and C. 8 The three manufacturers represent a large share of the global DRAM market.

Source: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

DrDamnit
  • 854
  • 4
  • 12