deterministic rowhammer attacks
play

Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of - PowerPoint PPT Presentation

Jun 16, 2023 •147 likes •2.07k views

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] Drammer: Deterministic Rowhammer

  1. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land sensitive data Store a crucial data structure on a vulnerable page 3. Reproduce the bit flip Modify the data structure and get root acces

  2. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land sensitive data Store a crucial data structure on a vulnerable page

  3. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land a Page Table Store a page table on a vulnerable page But why?

  4. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses

  5. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1

  6. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register )

  7. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index

  8. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index • Lowest 12 bits: offset in page

  9. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index • Lowest 12 bits: offset in page TTBR 0x1b17f000 0x462b000 1 st level Table Page Table (2 nd level) Requested Page

  10. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x

  11. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x • 12 bits of properties

  12. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x • 12 bits of properties • 20 bits for the page base address

  13. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17f000 • 20 bits for the page base address mapped page What if we flip a bit in the entry?

  14. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17f000 • 20 bits for the page base address mapped page 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x

  15. Rowhammer Attacks on Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17e000 0x1b17f000 • 20 bits for the page base address mapped page mapped page 0x1b17e << 12 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x

  16. Rowhammer Attacks on Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17e000 0x1b17f000 • 20 bits for the page base address mapped page mapped page 0x1b17e << 12 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x A 1-to- 0 flip moves the mapping ‘to the left’ • Flip offset 0: – 1 page • Flip offset 1: – 2 pages • Flip offset 2: – 4 pages – 2 n pages • Flip offset n :

  17. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table

  18. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table

  19. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x which translates to physical page 0x1b17f000

  20. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x which translates to physical page 0x1b17f000

  21. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17b Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  22. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17b Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  23. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  24. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 4. Read/write kernel memory 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  25. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 4. Read/write kernel memory 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to 0x1b17b000 Virtual address 0xb6a58000 maps to 0x3ac97000 Virtual address 0xb6a59000 maps to 0x3ac98000

  26. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land a Page Table Store a page table on a vulnerable page But how?

  27. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication)

  28. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui

  29. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory:

  30. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

  31. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

  32. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

  33. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

  34. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

  35. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

  36. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Exploit the predictable behavior of the Buddy Allocator Physical Memory 16 * 4KB pages = 64 KB rows

  37. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) Physical Memory 16 * 4KB pages = 64 KB rows

  38. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) 1024KB 512KB

  39. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 512KB

  40. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 256KB 256KB

  41. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 128KB 128KB 256KB

  42. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 64KB 64KB 128KB 256KB

  43. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB X1 64KB 128KB 256KB

  44. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 64KB 128KB 256KB

  45. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 32KB 32KB 128KB 256KB

  46. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 16KB 16KB 32KB 128KB 256KB

  47. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 8KB 8KB 16KB 32KB 128KB 256KB

  48. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 X2 8KB 16KB 32KB 128KB 256KB

  49. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory 1024KB X1 X2 8KB 16KB 32KB 128KB 256KB

  50. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) P3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory 1024KB X1 X2 8KB 16KB X3 128KB 256KB

  51. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 X2 8KB 16KB X3 128KB 256KB

  52. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 8KB 8KB 16KB X3 128KB 256KB

  53. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 16KB 16KB X3 128KB 256KB

  54. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 32KB X3 128KB 256KB

  55. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Deterministic Rowhammer exploitation in 8 steps 1024KB X1 32KB X3 128KB 256KB

  56. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(L); 1024KB X1 32KB X3 128KB 256KB

  57. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(9); // get all 2^9 = 512KB chunks 512KB 512KB X1 32KB X3 128KB 256KB

  58. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(L); // get all 2^9 = 512KB chunks L1 L2 X1 32KB X3 128KB 256KB

  59. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 2); // hammer row 2 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L1 L2 X1 32KB X3 128KB 256KB

  60. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 3); // hammer row 3 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  61. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 4); // hammer row 4 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  62. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 5); // hammer row 5 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  63. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 6); // hammer row 6 of chunk L1 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  64. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 7); // hammer row 7 of chunk L1 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  65. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L2, 2); // hammer row 2 of chunk L2 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  66. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L2, 3); // hammer row 3 of chunk L2 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KB X3 128KB 256KB

  67. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks “exploitable flip found in page 5 of virtual row 3 of L2!” L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 11111111111111111111111111 0 1111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KB X3 128KB 256KB

Recommend

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER ROWHAMMER Bit Flip ROWHAMMER A hardware glitch Causes charge to leak in DRAM DRAM row activations cause bit flips ROWHAMMER + NACL ROWHAMMER +

755 views • 19 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM DEBDEEP MUKHOPADHYA NANYANG TECHNOLOGICAL UNIVERSITY, SINGAPORE INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR Overview

362 views • 17 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Rowhammer Plagiarized from:

Rowhammer Plagiarized from:

Rowhammer Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg Step #1: Find aggressor and victim Allocate a large chunk of memory, like 1GB Aggressors X and Y must be different rows in the same bank

261 views • 12 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

Outline Chaotic maps Deterministic diffusion End From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer Klages Queen Mary University of London, School of Mathematical Sciences Sperlonga, 20-24

465 views • 29 slides
RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

338 views • 11 slides
If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics Spoilers GPUs/FPGAs/CPUs/ASICs ad nauseum AMBER Molecular Dynamics Determinism Matters Multi-GPU Servers Neural Networks

1.04k views • 68 slides
Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation of deterministic approaches Continuous, deterministic models cant cope with: 1. Sensitivity to a very small number of molecules 2. Protein

1.14k views • 66 slides
Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in non-deterministic We can define a Deterministic PDA (DPDA) as follows: Determinism Let M = (Q, , , , q 0 , Z 0 , F) be a PDA M is

159 views • 3 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel programming models Deterministic Non-deterministic Implicit FDIP par/pseq Strategies ??? Concurrent Haskell Explicit The Par Monad Par is a monad for

1.2k views • 35 slides
Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic Deterministic Deterministic Phenomena There exists a mathematical model that allows perfect prediction the phenomenas outcome.

1.47k views • 113 slides
Deterministic Networking Lab Part Bernhard Frmel Institut fr Technische Informatik

Deterministic Networking Lab Part Bernhard Frmel Institut fr Technische Informatik

Deterministic Networking Lab Part Frmel Deterministic Networking Lab Part Bernhard Frmel Institut fr Technische Informatik Technische Universitt Wien - 182.730 Deterministic Networking VU SS14 23. 05. 2014 1/34 Deterministic

939 views • 35 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata Sipser Ch 1.1-1.2 Regular Operations Non-deterministic FAs Mark Bun January 27, 2020 Deterministic Finite Automata 1/26/2020 CS332 - Theory

561 views • 40 slides
Deterministic vs. stochastic models In deterministic models, the output of the model is fully

Deterministic vs. stochastic models In deterministic models, the output of the model is fully

Deterministic vs. stochastic models In deterministic models, the output of the model is fully determined by the parameter values and the initial conditions initial conditions. Stochastic models possess some inherent randomness. The same set

531 views • 12 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata Sipser

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata Sipser

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata Sipser Ch 1.1 1.2 Regular Operations Non deterministic FAs Mark Bun January 27, 2020 Deterministic Finite Automata 1/29/2020 CS332

536 views • 34 slides
DETERMINISTIC MEAN FIELD GAMES Italo Capuzzo Dolcetta Sapienza Universit` a di Roma and GNAMPA

DETERMINISTIC MEAN FIELD GAMES Italo Capuzzo Dolcetta Sapienza Universit` a di Roma and GNAMPA

DETERMINISTIC MEAN FIELD GAMES DETERMINISTIC MEAN FIELD GAMES Italo Capuzzo Dolcetta Sapienza Universit` a di Roma and GNAMPA - Istituto di Alta Matematica DETERMINISTIC MEAN FIELD GAMES A classical optimization problem Given a time interval

672 views • 38 slides

More recommend