Bit flipping attacks – a risk to critical information infrastructure?
• Bit flipping attacks remain a potential issue for memory vendors
• Old hardware can be problematic for critical information infrastructure
• Open-source platforms enable system testing
When the Cyberspace Administration of China (CAC) put semiconductor chips produced by US firm Micron under cybersecurity review on 31 March 2023 the explanation raised more questions than it gave answers. China’s Cybersecurity Review Office cited Cybersecurity Review Measures – a 23-article regulatory text with a strong focus on the protection of critical information infrastructure – as the steps that it would take to complete the assessment.
And on 21 May 2023, China declared that Micron Technology’s products posed “serious network security risks” and banned operators of critical infrastructure from buying them. The finding of the review gave no specific details on why the CAC had put a stop to developers using Micron’s memory chips for critical information infrastructure applications within China.
Speculation is that the ban is in response to actions by the US that restrict China’s access to high-performance semiconductors. For example, the US CHIPS and Science ACT, signed into law in August 2022, encourages leading chip makers to invest in facilities on American soil. And funding to that pool of companies is given on a number of conditions, which includes providing full support to US endeavors at the expense of activity in China.
Stanford University’s DigiChina Project – which is a collaborative effort to understand China’s technology policy developments – points out how China’s Cybersecurity Reviews have continued to evolve. And the DigiChina team echoes that efforts targeting Micron Technologies reveal little beyond the reasons given in the statutory language of the Cybersecurity Review Measures.
DigiChina Project resources
According to a translation of the CAC’s Cybersecurity Review Measures, a review would be initiated if a critical information infrastructure operator in China was seeking to procure one or more Micron products. And the Cybersecurity Review Office could choose to review the US chip supplier if they were faced with multiple filings to consider all approvals at once. But DigiChina Project’s experts also note that, “Other factors may have led the CRO to decide on a novel form of review.”
On TechHQ, we’ve highlighted how China’s unicorns (private companies valued at over US $1 billion) are thriving, including in areas such as semiconductors. China consumes a lot of memory chips, and the country’s leadership may feel that its domestic suppliers are now ready to support a greater number of those applications. Memory chip manufacturing has a habit of operating in boom-bust cycles, which leads to periods of over and undersupply globally.
Last month, Nikkei Asia reported that Samsung was reducing memory chip production based on a downturn in demand. Producers have been scaling up operations to recover from well-publicised supply chain issues, including those triggered by the global pandemic. But as chip makers have returned to pre-pandemic production levels, the macroeconomic situation has changed again. And high-interest rates and the impact on consumer sentiment that go with them are affecting the number of memory chips that are being ordered.
Reducing memory chip imports to China would help domestic suppliers to weather a glut of components coupled with weak demand. But it’s also interesting to look at memory chips more generally and consider what would be the possible concerns to critical information infrastructure?
One of the most well-known attacks against DRAM chips is Rowhammer, which has been shown to affect designs made by multiple manufacturers. And it’s an interesting vulnerability to consider as it relates to a hardware failure mechanism. The memory defect shows that physics – rather than loopholes in software – can potentially open doors to attackers.
Rowhammer from a memory chip maker’s perspective is a ‘bad neighbour’ problem. As designs placed memory regions closer together, locations in adjacent rows became more likely to affect each other, with an entry in one row sometimes flipping a bit in a neighboring site. Designers handle these events with error correction code (ECC) memory, which can compensate for bit flipping.
But, as security researchers have shown, ECC schemes only account for a few bit flips at a time and cannot fully defend against Rowhammer attacks that target entire memory rows. Researchers identified fuzzing schemes that used multiple ‘aggressor’ rows to target a victim row and spill its memory contents into areas of the chip, which could be read by a determined attacker.
Device makers responded to the discovery, which was publicized by Google’s Project Zero security team in 2015, by increasing the memory refresh rate, which narrows the window for bit flipping. For example, Apple mentions Rowhammer specifically in updates applied to its EFI for Mac users. But upping the refresh rate impacts the efficiency of the chip, and could still leave devices vulnerable.
Onur Mutlu, a renowned expert in computer memory vulnerabilities, points out that refresh intervals need to be seven times more frequent to fully defend against Rowhammer attacks, which is not a practical solution due to the impact on chip performance. And Rowhammer isn’t just limited to older DDR3 memory modules, as many users may believe.
Bit flipping affects smartphones too
More recently, security researchers in the Netherlands have demonstrated that DDR4 chips (even those that have Target Row Refresh enabled, which was thought to be an effective mitigation) can be vulnerable to Rowhammer attacks too. And the same team has gone on to show that LPDDR4 modules used in smartphones can be similarly affected, having demonstrated that it’s possible to carry out bit flipping in a variety of mobile devices such as Samsung’s Galaxy S10 and Google’s Pixel 3.
When it becomes necessary to defend against physics and not just vulnerabilities in computer code, things definitely become much tougher for security teams. Vendors can issue software security updates, but patching physics isn’t as straightforward. New physical designs can be integrated into the next generation of devices, but what about all of the existing hardware that’s already in use?
And this is a consideration for critical information infrastructure. While the CAC is concentrating its efforts on policing products being built today, what about those that were deployed years ago and may feature older DDR3 memory modules? Fortunately, it’s possible for users to at least test systems to see whether their setup is at risk. For example, Antmicro has developed an open source platform that Google has used in analyzing Rowhammer threats.
28 September 2023
28 September 2023