deterministic rowhammer attacks
play

Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of - PowerPoint PPT Presentation

Jun 16, 2023 •147 likes •2.07k views

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] Drammer: Deterministic Rowhammer

  1. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land sensitive data Store a crucial data structure on a vulnerable page 3. Reproduce the bit flip Modify the data structure and get root acces

  2. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land sensitive data Store a crucial data structure on a vulnerable page

  3. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land a Page Table Store a page table on a vulnerable page But why?

  4. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses

  5. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1

  6. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register )

  7. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index

  8. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index • Lowest 12 bits: offset in page

  9. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses Example lookup for input virtual address 0xb6a5717f 1 0 1 1 0 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 1 • Highest 12 bits: level 1 table index ( Translation Table Base Register ) • Middle 8 bits: level 2 table index • Lowest 12 bits: offset in page TTBR 0x1b17f000 0x462b000 1 st level Table Page Table (2 nd level) Requested Page

  10. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x

  11. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x • 12 bits of properties

  12. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x • 12 bits of properties • 20 bits for the page base address

  13. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17f000 • 20 bits for the page base address mapped page What if we flip a bit in the entry?

  14. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17f000 • 20 bits for the page base address mapped page 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x

  15. Rowhammer Attacks on Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17e000 0x1b17f000 • 20 bits for the page base address mapped page mapped page 0x1b17e << 12 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x

  16. Rowhammer Attacks on Page Table Entries Entry in the (2 nd level) Page Table 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x 0x1b17f << 12 • 12 bits of properties 0x1b17e000 0x1b17f000 • 20 bits for the page base address mapped page mapped page 0x1b17e << 12 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 0 x x x x x x x x x x x x A 1-to- 0 flip moves the mapping ‘to the left’ • Flip offset 0: – 1 page • Flip offset 1: – 2 pages • Flip offset 2: – 4 pages – 2 n pages • Flip offset n :

  17. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table

  18. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table

  19. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x which translates to physical page 0x1b17f000

  20. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17f Mapped Page Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 x x x x x x x x x x x x which translates to physical page 0x1b17f000

  21. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17b Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  22. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 1b17b Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  23. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  24. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 4. Read/write kernel memory 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to Page Table Entry: 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 x x x x x x x x x x x x which translates to physical page 0x1b17b000

  25. Deterministic Attacks on Page Table Entries 1. Map a page 4 pages ‘ away ’ from its page table 2. Flip bit 2 in the page table entry 3. Write page table entries 4. Read/write kernel memory 0x1b17b000 0x1b17c000 0x1b17d000 0x1b17e000 0x1b17f000 3ac90 3ac91 3ac92 3ac93 3ac94 3ac95 3ac96 1b17b 3ac97 3ac98 3ac99 3ac9a 3ac9b 3ac9c 3ac9d 3ac9e Mapped Page Table Virtual address 0xb6a57000 maps to 0x1b17b000 Virtual address 0xb6a58000 maps to 0x3ac97000 Virtual address 0xb6a59000 maps to 0x3ac98000

  26. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview 1. Memory Templating Scan memory for useful bit flips 2. Land a Page Table Store a page table on a vulnerable page But how?

  27. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication)

  28. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui

  29. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory:

  30. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

  31. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

  32. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

  33. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

  34. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

  35. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table • No access to pagemap (virtual – physical address mapping) • No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

  36. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Exploit the predictable behavior of the Buddy Allocator Physical Memory 16 * 4KB pages = 64 KB rows

  37. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) Physical Memory 16 * 4KB pages = 64 KB rows

  38. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) 1024KB 512KB

  39. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 512KB

  40. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 256KB 256KB

  41. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 128KB 128KB 256KB

  42. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB 64KB 64KB 128KB 256KB

  43. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory 1024KB X1 64KB 128KB 256KB

  44. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 64KB 128KB 256KB

  45. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 32KB 32KB 128KB 256KB

  46. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 16KB 16KB 32KB 128KB 256KB

  47. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 8KB 8KB 16KB 32KB 128KB 256KB

  48. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory 1024KB X1 X2 8KB 16KB 32KB 128KB 256KB

  49. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) X3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory 1024KB X1 X2 8KB 16KB 32KB 128KB 256KB

  50. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) P3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory 1024KB X1 X2 8KB 16KB X3 128KB 256KB

  51. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 X2 8KB 16KB X3 128KB 256KB

  52. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 8KB 8KB 16KB X3 128KB 256KB

  53. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 16KB 16KB X3 128KB 256KB

  54. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator Avoid fragmentation by keeping track of same-size memory chunks ( buddies) free_pages(X2, 3); // free X2 1024KB X1 32KB X3 128KB 256KB

  55. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Deterministic Rowhammer exploitation in 8 steps 1024KB X1 32KB X3 128KB 256KB

  56. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(L); 1024KB X1 32KB X3 128KB 256KB

  57. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(9); // get all 2^9 = 512KB chunks 512KB 512KB X1 32KB X3 128KB 256KB

  58. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks L1, L2, …, Ln = exhaust(L); // get all 2^9 = 512KB chunks L1 L2 X1 32KB X3 128KB 256KB

  59. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 2); // hammer row 2 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L1 L2 X1 32KB X3 128KB 256KB

  60. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 3); // hammer row 3 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  61. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 4); // hammer row 4 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  62. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 5); // hammer row 5 of chunk L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  63. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 6); // hammer row 6 of chunk L1 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  64. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L1, 7); // hammer row 7 of chunk L1 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  65. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L2, 2); // hammer row 2 of chunk L2 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KB X3 128KB 256KB

  66. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks Hammer(L2, 3); // hammer row 3 of chunk L2 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KB X3 128KB 256KB

  67. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks “exploitable flip found in page 5 of virtual row 3 of L2!” L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 11111111111111111111111111 0 1111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KB X3 128KB 256KB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER ROWHAMMER Bit Flip ROWHAMMER A hardware glitch Causes charge to leak in DRAM DRAM row activations cause bit flips ROWHAMMER + NACL ROWHAMMER +

755 views • 19 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM DEBDEEP MUKHOPADHYA NANYANG TECHNOLOGICAL UNIVERSITY, SINGAPORE INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR Overview

362 views • 17 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Rowhammer Plagiarized from:

Rowhammer Plagiarized from:

Rowhammer Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg Step #1: Find aggressor and victim Allocate a large chunk of memory, like 1GB Aggressors X and Y must be different rows in the same bank

261 views • 12 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer

Outline Chaotic maps Deterministic diffusion End From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer Klages Queen Mary University of London, School of Mathematical Sciences Sperlonga, 20-24

465 views • 29 slides
RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

338 views • 11 slides
If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics

If It's Not Deterministic, It's Crap: Deterministic Machine Learning and Molecular Dynamics Spoilers GPUs/FPGAs/CPUs/ASICs ad nauseum AMBER Molecular Dynamics Determinism Matters Multi-GPU Servers Neural Networks

1.04k views • 68 slides
Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation

Mesoscopic simulations of receptive lattices Limitation of deterministic approaches Limitation of deterministic approaches Continuous, deterministic models cant cope with: 1. Sensitivity to a very small number of molecules 2. Protein

1.14k views • 66 slides
Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in

Deterministic PDAs As mentioned before Pushdown Automata Our basic PDA in non-deterministic We can define a Deterministic PDA (DPDA) as follows: Determinism Let M = (Q, , , , q 0 , Z 0 , F) be a PDA M is

159 views • 3 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel

A monad for deterministic parallelism Simon Marlow (MSR) Ryan Newton (Intel) Parallel programming models Deterministic Non-deterministic Implicit FDIP par/pseq Strategies ??? Concurrent Haskell Explicit The Par Monad Par is a monad for

1.2k views • 35 slides
Comparison Tests of Motorcycle Comparison Tests of Motorcycle Helmets Qualified to Helmets

Comparison Tests of Motorcycle Comparison Tests of Motorcycle Helmets Qualified to Helmets

Comparison Tests of Motorcycle Comparison Tests of Motorcycle Helmets Qualified to Helmets Qualified to International Standards International Standards David R. Thom, MS Collision and Injury Dynamics El Segundo, California w w w

450 views • 23 slides
THUNDERSTORMS Convective heavy rain accompanied by lightning and thunder Ahrens Thunderstorms

THUNDERSTORMS Convective heavy rain accompanied by lightning and thunder Ahrens Thunderstorms

THUNDERSTORMS Convective heavy rain accompanied by lightning and thunder Ahrens Thunderstorms About 1,800 T-storms occur around the world at any instant Where do they occur the most? National Lightning Safety Institute Satellite lightning

1.01k views • 66 slides
Response of Humidity and Clouds to Tropical Deep Convection Mark Zelinka University of

Response of Humidity and Clouds to Tropical Deep Convection Mark Zelinka University of

Response of Humidity and Clouds to Tropical Deep Convection Mark Zelinka University of Washington Dept. of Atmospheric Sciences NASA Sounder Science Team Meeting 14 October 2009 Acknowledgements Dennis Hartmann (advisor) Chris

477 views • 34 slides
PASSENGER Story of a convergent pipeline Thomas Felix Pierre Blaizeau TG - Passenger TWINE

PASSENGER Story of a convergent pipeline Thomas Felix Pierre Blaizeau TG - Passenger TWINE

PASSENGER Story of a convergent pipeline Thomas Felix Pierre Blaizeau TG - Passenger TWINE Ubisoft Montral Ubisoft Montral Technology Group PASSENGER How to expand your game universe? How to bridge game and CG technology? How to

966 views • 69 slides
Phase Transitions in dense hydrogen with Quantum Monte Carlo David Ceperley University of

Phase Transitions in dense hydrogen with Quantum Monte Carlo David Ceperley University of

Phase Transitions in dense hydrogen with Quantum Monte Carlo David Ceperley University of Illinois Urbana-Champaign Recent Collaborators Miguel Morales Livermore Carlo Pierleoni LAquila, Italy AND many other collaborators over the years!

725 views • 24 slides
Monday: Lesson One LO: To identify different poetic features Key Poetry Definitions

Monday: Lesson One LO: To identify different poetic features Key Poetry Definitions

Monday: Lesson One LO: To identify different poetic features Key Poetry Definitions Alliteration- using words from the same sound, not just the same letter (slithering snakes, mischievous monkeys) Rhyming- words that have a close

452 views • 18 slides
PLATE TECTONICS Revolution in Earth Science The Earth System Understanding Earth 6th edition

PLATE TECTONICS Revolution in Earth Science The Earth System Understanding Earth 6th edition

FUNDAMENTALS OF EARTH SCIENCE I FALL SEMESTER 2018 PLATE TECTONICS Revolution in Earth Science The Earth System Understanding Earth 6th edition Earths layers CRUST (solid) MANTLE (solid) OUTER CORE (liquid) INNER CORE (solid)

1.06k views • 55 slides
ICF Overview and Z Joel Lash, Ph. D. Senior Manager, Z Facility R&amp;D Sandia National

ICF Overview and Z Joel Lash, Ph. D. Senior Manager, Z Facility R&amp;D Sandia National

ICF Overview and Z Joel Lash, Ph. D. Senior Manager, Z Facility R&amp;D Sandia National Laboratories, Albuquerque, NM, USA Laser Magnetization Compression Heating Sandia National Laboratories is a multi-program laboratory managed and

310 views • 20 slides

More recommend