rowhammer in 15
play

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an - PowerPoint PPT Presentation

Sep 16, 2022 •226 likes •338 views

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

  1. RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com

  2. Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File: http://en.wikipedia.org/wiki/Dynamic_random-access_memory#/media/File: SRAM_Cell_(6_Transistors).svg Square_array_of_mosfet_cells_read.png Google Proprietary

  3. Life of an electron SRAM DRAM Uses a lot of die space (4 to 6 Excellent storage density (1 capacitor transistors per bit) + 1 transistor per bit) Fast random access time Slow access (full row access) Static (conserve state unless powered Leaky (capacitor discharges in ~N off) ms) Used for L-1 L-2 caches Used for external memory (Synchronous DRAM) Google Proprietary

  4. Life of an electron DRAM discharge: mitigated by regular refresh ● Usually every 64ms Google Proprietary

  5. What if? You access a value too often? Bit-flip(s)! ● Including in adjacent rows Why? Nobody knows for sure ... ● Condenser discharge. Power glitch. Tunnel effect. You name it. Google Proprietary

  6. What if? Known for years for the hardware industry ● Cf. JEDEC specifications Re-discovered by software people ● https://github.com/CMU-SAFARI/rowhammer Eventually exploited by Google as a generic privilege escalation ● http://googleprojectzero.blogspot.ch/2015/03/exploiting-dram-rowhammer-bug-to-gain.html Google Proprietary

  7. Exploitation Short version ● Fill memory ● Flip a PTE bit ● Profit! Flipping fast ● CLFLUSH (userland, cannot be disabled by CRx/MSR or microcode update - as of today) Unexplored ways ● Non-temporal hints (MOVNT*) ● Other cache-control instructions (MFENCE/SFENCE, ...) Google Proprietary

  8. Exploitation The devil is in the details ● Guessing physical memory layout ● Flipping the right bit ○ Affected locations tend to be geographically stable (die defect) ● Double hammer vs. single hammer Google Proprietary

  9. Mitigations ECC + Linux MCE policy ● Can correct 1-bit and detect 2-bit errors Double refresh rate Software monitoring cache miss with perf counters pTRR / TRR: [pseudo] Targeted Row Refresh ● Specified by DDR3/DDR4 standards MAC (Maximum Activate Count) Google Proprietary

  10. TODO Other memory access vectors? ● DMA ● GPU memory ● Hidden cache-bypassing instructions? Vendor-specific mitigations? ● Dell RMT ("Reliable Memory Technology") Embedded devices? ● ARM, MIPS, PPC, microcontrollers, ... Damaging physical memory? ● http://en.wikipedia.org/wiki/Hot-carrier_injection Google Proprietary

  11. References Original research ● https://github.com/CMU-SAFARI/rowhammer Google research ● http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html ● https://github.com/google/rowhammer-test Vendor(s) statements ● http://support.lenovo.com/us/en/product_security/row_hammer ● http://azure.microsoft.com/blog/2015/03/16/microsoft-azure-uses-error-correcting-code-memory- for-enhanced-reliability-and-security/ ● http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150309- rowhammer ● http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04593978 Google Proprietary

Recommend

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER ROWHAMMER Bit Flip ROWHAMMER A hardware glitch Causes charge to leak in DRAM DRAM row activations cause bit flips ROWHAMMER + NACL ROWHAMMER +

755 views • 19 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Rowhammer Plagiarized from:

Rowhammer Plagiarized from:

Rowhammer Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg Step #1: Find aggressor and victim Allocate a large chunk of memory, like 1GB Aggressors X and Y must be different rows in the same bank

261 views • 12 slides
Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] Drammer: Deterministic Rowhammer

2.07k views • 192 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM DEBDEEP MUKHOPADHYA NANYANG TECHNOLOGICAL UNIVERSITY, SINGAPORE INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR Overview

362 views • 17 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel Gruss, and Yuval Yarom Presented by Erik Saathoff 11/16/2020 Motivation Rowhammer has previously only been demonstrated as a threat to DRAM

764 views • 19 slides

More recommend