Hmm, it seems that all the pieces aren't in place yet. If I'm understanding correctly, the exploit technique they use relies on cross-page errors (causing errors in one page with accesses to another page), because the page with errors needs to get freed to the operating system to potentially reuse as PTEs, while still having the ability to cause the errors. There's a line on one of the slides that says you can use timing information to get cross-page information, but I'm really not sure what that means, and how feasible it is.<p>In addition, they need to find a double-bit error, one that would change both the writable bit and an address bit, if a PTE was in that place in memory. They mentioned that they tested their laptop for these errors, and they're possible, but much rarer--how rare? This point was kind of just glossed over.<p>I'd guess that these two combined would make an exploitable error much more unlikely.
Nice work, but didn't show an exploit or have one.<p>The "?" in the end of the talk title should tip you off, same click bait as everyone else uses, sad.
The paper is available here:
<a href="http://arxiv.org/abs/1507.06955" rel="nofollow">http://arxiv.org/abs/1507.06955</a>
Interestingly, in response to the first question they state that allegedly some brands of ECC memory are also vulnerable (by also hammering the checksum rows).
The speaker makes fun of Intel for calling a relatively trivial mapping of CPU physical address to DRAM addresses in the memory controller a "hash function". I'd like to point out that it is actually a hash function mathematically. The term "hash function" has a much looser definition and does not necessarily have any of the cryptographic properties that are common in <i>cryptographically-secure</i> hash functions. It's a clash of terminology, not a poor design decision by Intel. Intel has probably no interest in obfuscating that mapping and the fact that they leave it undocumented is probably just because they don't want to make compatibility guarantees if you somehow rely on the mapping for some reason.
Video : <a href="https://www.youtube.com/watch?v=LT54Jq_0kJk" rel="nofollow">https://www.youtube.com/watch?v=LT54Jq_0kJk</a>
I can't load the page: "Secure Connection Failed".<p>edit: video file is here <a href="http://c3media.vsos.ethz.ch/congress/2015/webm-hd/32c3-7197-en-de-Rowhammerjs_Root_privileges_for_web_apps_webm-hd.webm" rel="nofollow">http://c3media.vsos.ethz.ch/congress/2015/webm-hd/32c3-7197-...</a>