By: hobold (hobold.delete@this.vectorizer.org), September 17, 2022 6:57 am
Room: Moderated Discussions
anonymou5 (no.delete@this.spam.com) on September 16, 2022 4:50 pm wrote:
[...]
> "But this is different." I hear you say. "Since it's not under the attacker's control."
That was not the argument I had prepared. Mine goes like "ECC codes are not crossing a protection boundary".
If you want to use ECC status (pass/fail) as some sort of side channel, you need to attack the ECC bits first (Rowhammer says hello). If you can do that, you don't really need any subsequent attack stages.
Of course there might be value in measuring data retention quality in specific cache locations, and maybe this information could be helpful in aiming some other attack against another thread on the same core. But SMT is already getting turned off when people need that kind of strict separation.
(Remember that I am not trying to sell you any particular method or patent. If you can shoot down this approach, please do so before anyone implements it. The world will be a batter place.)
[...]
> "But this is different." I hear you say. "Since it's not under the attacker's control."
That was not the argument I had prepared. Mine goes like "ECC codes are not crossing a protection boundary".
If you want to use ECC status (pass/fail) as some sort of side channel, you need to attack the ECC bits first (Rowhammer says hello). If you can do that, you don't really need any subsequent attack stages.
Of course there might be value in measuring data retention quality in specific cache locations, and maybe this information could be helpful in aiming some other attack against another thread on the same core. But SMT is already getting turned off when people need that kind of strict separation.
(Remember that I am not trying to sell you any particular method or patent. If you can shoot down this approach, please do so before anyone implements it. The world will be a batter place.)
