NeRAM - Next-Generation Rowhammer Attacks and Mitigations

Beschreibung

DRAM speichert Daten in Speicherzellen, in Arrays aus Kondensatoren und Transistoren. Hersteller erhöhen ständig die Dichte dieser Arrays, um Speicherkapazität, Leistung und Effizienz zu optimieren. Die Dichte ist so hoch, dass ein schnelles Lesen Bit-Flips in benachbarten Speicherzeilen verursachen kann. Die Ausnutzung dieses Rowhammer-Effekts kann die Speicherisolation und damit die Systemsicherheit untergraben. In den letzten Jahren ist Rowhammer aus zwei Gründen zu einem größeren Sicherheitsproblem geworden: Erstens hat sich die Anzahl der für einen Angriff erforderlichen Zugriffe um den Faktor 30 verringert. Zweitens wurden in vorheriger Forschung verschiedene Wege gefunden um Rowhammer in Privilege-Escalation Angriffen auszunutzen. Drittens
wurden frühere Versuche Rowhammer zu verhindern in aktueller Forschung bereits umgangen.

Wie oben beschrieben, sind der Rowhammer-Effekt und seine Auswirkungen in vielen Anwendungen und Umgebungen noch nicht vollständig verstanden. Dieses Forschungsprojekt schließt diese Verständnislücken, indem wir den Rowhammer Effekt und effektive Rowhammer-Abwehrmaßnahmen untersuchen und entwickeln.

Rowhammer-Angriffe sind bis heute wenig erforscht

Presshammer: Rowhammer and Rowpress without Physical Address Information

Juffinger, Jonas; Sudheendra , Raghav Neela; Heckel, Martin; Schwarz, Lukas...

21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '24).


Peer Reviewed
 

Modern DRAM is susceptible to fault attacks that undermine the entire system’s security. The most well-studied disturbance effect is Rowhammer, where an attacker repeatedly opens and closes (i.e., hammers) different rows, which can lead to bitflips in adjacent rows. Different hammering strategies include double-sided, hammering two rows sandwiching a victim row, and one-location, hammering a single row. One-location Rowhammer requires no physical address information, as any location in memory is mapped to a DRAM row, and no relation between rows is required for hammering. The recently discovered Rowpress differs from Rowhammer by not hammering rows but keeping them open longer, evident by a disjoint set of affected memory locations.

In this paper, we examine the differences between four attack variants: one-location Rowhammer, a one-location Rowpress variant we developed, double-sided Rowhammer, and double-sided Rowpress on a set of 12 DDR4 modules. Our methodology is to hammer and press the exact same set of physical memory locations in all attack variants. Surprisingly, our results show that on 4 out of 12 DDR4 modules, we were only able to reproduce double-sided Rowhammer but none of the other attack variants. On 2 DDR4 modules, we were able to reproduce all attack variants. We find that the number of unique bitflip locations ranges from 161 to 15 612, when hammering the exact same set of physical memory locations. Our one-location Rowhammer attack induces roughly the same amount of bitflips as double-sided Rowhammer, however, only 61.8 % of bitflip locations overlap. We explain this by one-location Rowhammer inducing bitflips due to the Rowhammer as well as the Rowpress effect, making the differentiation of both methods difficult, therefore, calling it Presshammer. Based on our observed bitflips, we develop the first end-to-end one-location Rowpress attack. One-location Rowpress requires only minimal physical address information that an attacker can acquire through a same-row same-bank side-channel attack. Our end-to- end attack escalates to kernel privileges within less than 10 minutes.

more

Reverse-Engineering Bank Addressing Functions on AMD CPUs

Heckel, Martin; Adamsky, Florian (2023)

The 3rd Workshop on DRAM Security (DRAMSec 2023), co-located with ISCA 2023.


Open Access Peer Reviewed
 

The memory controller of the CPU uses bank addressing functions to determine physical locations within DRAM DIMMs. There are many fields of application for these addressing functions, particularly in security. For exam- ple, many Rowhammer proofs-of-concept use bank addressing functions to select addresses located on the same bank but in different rows to produce row conflicts. AMD provides these addressing functions for older CPU models. Hence, research on reverse-engineering addressing functions mainly targeted Intel CPUs since Intel did not publish these functions. However, AMD stopped to publish the DRAM addressing functions several years ago. AMD manufactures roughly a third of the sold CPUs in today’s CPU market. We analyze reverse- engineering tools for addressing functions and find that they do not work with AMD CPUs, hindering reverse-engineering at- tempts and Rowhammer attacks on systems with AMD CPUs. In this paper, we introduce an approach to reverse-engineer the addressing functions of AMD CPUs, which facilitates future Rowhammer experiments on AMD CPUs.

more


Dissertations

Next-Generation Rowhammer Attacks and Mitigations


PhD student Martin Heckel
Research focus Informationssysteme
Duration 2023-02-10 - 2025-11-30
Scientific supervisor HS-Hof Prof. Dr. Florian Adamsky
Institutions Institut für Informationssysteme (iisys)
Forschungsgruppe System and Network Security (sns)
Forschung und Entwicklung
Hochschule für angewandte Wissenschaften, Hof
Scientific supervisor (extern) Universität Graz | Prof. Dr. Daniel Gruss
more

Projektleitung


Projektbearbeitung

Martin Heckel
T +49 9281 409-6613
martin.heckel.2[at]hof-university.de

Project duration

2022-12-01 - 2025-11-30

Funding programme

DFG - Sachbeihilfe