exploiting correcting codes on the effectiveness of ecc
play

Exploiting Correcting Codes: On the Effectiveness of ECC Memory - PowerPoint PPT Presentation

Nov 18, 2023 •27 likes •437 views

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

  1. Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos

  3. Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn ’15] ● Exploit to escape sandboxes [Seaborn ’15, Gruss ’18] ● Exploit to compromise confidentiality [Razavi ‘16] ● Exploit different targets: ● Desktop computers (browser, local shell etc.) – On phones [van der Veen ‘17], on GPUs [Frigo ‘18] – Over the network [Tatar ‘18, Lipp ‘18] –

  4. Previous RH attacks are on non-server memory 1 2 3 4 5 6 7 8

  5. Previous RH attacks are on non-server memory 1 2 3 4 5 6 7 8 ECCploit, RH on server (ECC) memory 1 2 3 4 C 5 6 7 8

  6. Overview 1) Challenges for RH on ECC memory 2) Single-bit flips on ECC memory 1) Causing them 2) Observing them 3) Reverse engineering of ECC functions 4) Performance of Rowhammer on ECC memory

  7. What makes the exploitation of ECC memory difficult?

  8. BIT FLIPS BIT FLIPS

  9. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped 1 bit flipped 2 bits flipped 3 bits flipped

  10. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped 2 bits flipped 3 bits flipped

  11. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash 3 bits flipped

  12. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable

  13. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable Kind of useless for Rowhammer

  14. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable Rowhammer on ECC memory is a mere DoS attack!

  15. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable ECCploit is an upgrade from the DoS attack. ECCploit only causes undetectable bit flips

  16. Q: How to get from one bit flip to three bit flips without hitting two bit flips? 1 3

  17. A: Templating bit flips on ECC memory (ECCploit) 1. Get single bit flips 2. Combine them to cause silent corruptions (same ECC)

  18. Challenge: causing a single bit to flip

  19. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 A V 0 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A

  20. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 A V 0 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A

  21. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A A: A: V 0 1 1 1 1 1 ... 1 V: 1 0 1 1 1 1 ... 1 V: 1 1 0 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A A: A: A: 1 1 1 1 1 1 ... 1 A: 1 1 1 1 1 1 ... 1 A: 1 1 1 1 1 1 ... 1 V: 1 1 1 0 1 1 ... 1 V: 1 1 1 1 0 1 ... 1 V: 1 1 1 1 1 0 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A: A: A:

  22. Challenge: observing a single bit flip

  23. Challenge: observing a single bit flip

  24. ECC correction is observable Word offset inside row

  25. A: Templating bit flips on ECC memory (ECCploit) 1. Get single bit flips 2. Combine them to cause silent corruptions (same ECC)

  26. Challenge: finding a suitable 3 bit flip that cause silent corruptions

  27. Challenge: finding a suitable 3 bit flip that cause silent corruptions

  28. Challenge: finding a suitable 3 bit flip that cause silent corruptions Reverse engineering the ECC implementation

  29. ECC errors reveal the ECC function Fault injection on the memory bus Cold-boot attack

  30. ECC errors reveal the ECC function Fault injection on the memory bus Cold-boot attack

  31. CPU writes data and control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 ECC bits are stored *ptr = data; ControlBits = ECC(data); next to data

  32. CPU writes data and control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 ECC bits are stored *ptr = data; ControlBits = ECC(data); next to data

  33. CPU reads data and checks control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  34. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  35. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  36. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataThatWeUseForRE );

  37. ECCploit attack 1) Recover the ECC function (offline) 2) Template the memory 1) Avoid crashes by triggering only single-bit flips 2) Knowing the ECC function, combine single bit flips in undetectable bit flips 3) Massage the memory 4) Run the Exploit

  38. How long it takes to template ECC memory for Rowhammer?* *On our setup

  39. How long it takes to template ECC memory for Rowhammer?* ● If a perfect side channel (bit granularity) it takes: – 32 minutes for PTE or code change – 2 hours for the RSA key attack *On our setup

  40. How long it takes to template ECC memory for Rowhammer?* ● If a perfect side channel (bit granularity) it takes: – 32 minutes for PTE or code change – 2 hours for the RSA key attack ● If a typical side channel (word granularity) it takes: – 19 hours for PTE or code change – 3 days for RSA key attack *On our setup

  41. Error Correcting Codes: Only Slow Down Rowhammer Attacks https://vusec.net/projects/eccploit

Recommend

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR CORRECTING PAIR I NTRODUCTION TO C ODING T HEORY MDS CODES A CHARACTERIZATION OF MDS CODES THAT GRS CODES HAVE AN ERROR CORRECTING PAIR ECP M OTIVATION O UR GOAL ARQUEZ -C ORBELLA 1 R. P ELLIKAAN

689 views • 19 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp

Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp

Introduction to Error-correcting codes Two challenges that recently emerged Block codes vs convolutional codes Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp Department of Mathematics, Universidad of

1.13k views • 96 slides
Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu

Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu

Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu Joint work with Yeow Meng Chee, Han Mao Kiah, Alexander Vardy and Eitan Yaakobi 11th March 2019 Presented by: Van Khu Vu Codes Correcting Under- and

543 views • 26 slides
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May 11-12, 2011 1/45 CONTENTS I Error-correcting codes; the basics II Quasi-cyclic codes; codes generated by circulants III Cyclic codes

556 views • 45 slides
Quantum Error-Correcting Codes by Concatenation Markus Grassl joint work with Bei Zeng Centre

Quantum Error-Correcting Codes by Concatenation Markus Grassl joint work with Bei Zeng Centre

Quantum Error-Correcting Codes by Concatenation QEC11 Second International Conference on Quantum Error Correction University of Southern California, Los Angeles, USA December 59, 2011 Quantum Error-Correcting Codes by Concatenation Markus

1.15k views • 41 slides
Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear Codes Page 1 General Model message m Errors introduced by the noisy channel: coder changed fields in the codeword (e.g., a flipped bit)

307 views • 28 slides
Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes LAWCI Latin American Week on Coding and Information UniCamp Campinas, Brazil 2018, July 2027 Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl Markus.Grassl@mpl.mpg.de

1.27k views • 91 slides
Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes LAWCI Latin American Week on Coding and Information UniCamp Campinas, Brazil 2018, July 2027 Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl Markus.Grassl@mpl.mpg.de

762 views • 60 slides
Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc), Iryna Andriyanova (ENSEA), Jean-Pierre Tillich (INRIA) QEC14 December the 17th, 2014 introduction The 5 qubit code Probability of error after

382 views • 35 slides
On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent

On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent

On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent Herbert 1 (Joint work with Sumanta Sarkar 2 ) IMACC 2011 1 Inria Paris-Rocquencourt, France 2 University of Calgary, Canada 1 Agenda 1

1.03k views • 29 slides
application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a

application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a

application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a 4-bit message over a noisy communication channel. Say, 1 bit in 10 is flipped in transit, independently. What is the probability that the message

655 views • 27 slides
QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for

QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for

QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for Quantum Information Science and Technology (CQIST) Outline 1. What is Quantum Error Correction? 2. Classical Error-Correcting Codes 3. Does Encoding Copy

811 views • 35 slides
Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu

Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu

Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu Vu(isevvk@nus.edu.sg) Joint work with Yeow Meng Chee National University of Singapore June 2020 Presented by: Van Khu Vu(isevvk@nus.edu.sg) Codes

837 views • 29 slides
Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca

Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca

Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca Villalba Department of Software Engineering and Artificial Intelligence Universidad Complutense de Madrid Linear Block Codes f : GF(2) k GF(2) n n -

347 views • 5 slides
15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ? Announcement: Scribe notes sign up, template and instructions on the course webpage 15-853 Page1 Recap: Block Codes message (m) Each message and

425 views • 25 slides
Construction X for quantum error-correcting codes Petr Lison ek Simon Fraser University

Construction X for quantum error-correcting codes Petr Lison ek Simon Fraser University

Stabilizer quantum codes Construction X for QECC Construction X for quantum error-correcting codes Petr Lison ek Simon Fraser University Burnaby, BC, Canada joint work with Vijaykumar Singh CanaDAM 2013 Memorial University of

422 views • 20 slides
/k Introduction and content 2/37 Error-correcting pair - Generalized Reed-Solomon codes -

/k Introduction and content 2/37 Error-correcting pair - Generalized Reed-Solomon codes -

Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Mrquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 /k Introduction and content 2/37 Error-correcting

687 views • 37 slides
Error-correcting codes Algorithm Interest Group presentation by Eli Chertkov

Error-correcting codes Algorithm Interest Group presentation by Eli Chertkov

Error-correcting codes Algorithm Interest Group presentation by Eli Chertkov http://www.computer-questions.com/what-to-do-when-error-code-8003-happens/ Society needs to communicate over noisy communication channels

929 views • 14 slides
15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ? Announcement: Scribe notes template and instructions on the course webpage 15-853 Page1 General Model Noise introduced by the channel: message

531 views • 32 slides
Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this sem- inar series should soon be available at http://math.uwyo.edu/~moorhous/quantum/ References F.J. MacWilliams and N.J.A. Sloane, The North-

421 views • 20 slides
Codebook and Marker Sequence Design for Synchronization-Correcting Codes Victor Buttigieg 1 Johann

Codebook and Marker Sequence Design for Synchronization-Correcting Codes Victor Buttigieg 1 Johann

Outline Introduction System Description Bound Results Closure Codebook and Marker Sequence Design for Synchronization-Correcting Codes Victor Buttigieg 1 Johann A. Briffa 2 1 Department of Communications and Computer Engineering University

632 views • 29 slides
Error Correcting Codes CS70 Summer 2016 - Lecture 8A David Dinh 08 August 2016 UC Berkeley 1

Error Correcting Codes CS70 Summer 2016 - Lecture 8A David Dinh 08 August 2016 UC Berkeley 1

Error Correcting Codes CS70 Summer 2016 - Lecture 8A David Dinh 08 August 2016 UC Berkeley 1 Today Final logistics Erasure codes Berlekamp-Walsh codes 2 Final logistics Final will be held on Friday, 12 August from 11:30-2:30 in 120

158 views • 13 slides
Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi Liu 1 , Xiaojie Zhang 2 , Paul H. Siegel 1 , Erich F. Haratsch 3 1 Center for Memory and Recording Research, UCSD 2 CNEX Labs, San Jose, CA 3 Seagate

687 views • 47 slides

More recommend