exploiting correcting codes on the effectiveness of ecc
play

Exploiting Correcting Codes: On the Effectiveness of ECC Memory - PowerPoint PPT Presentation

Nov 18, 2023 •27 likes •437 views

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

  1. Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos

  3. Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn ’15] ● Exploit to escape sandboxes [Seaborn ’15, Gruss ’18] ● Exploit to compromise confidentiality [Razavi ‘16] ● Exploit different targets: ● Desktop computers (browser, local shell etc.) – On phones [van der Veen ‘17], on GPUs [Frigo ‘18] – Over the network [Tatar ‘18, Lipp ‘18] –

  4. Previous RH attacks are on non-server memory 1 2 3 4 5 6 7 8

  5. Previous RH attacks are on non-server memory 1 2 3 4 5 6 7 8 ECCploit, RH on server (ECC) memory 1 2 3 4 C 5 6 7 8

  6. Overview 1) Challenges for RH on ECC memory 2) Single-bit flips on ECC memory 1) Causing them 2) Observing them 3) Reverse engineering of ECC functions 4) Performance of Rowhammer on ECC memory

  7. What makes the exploitation of ECC memory difficult?

  8. BIT FLIPS BIT FLIPS

  9. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped 1 bit flipped 2 bits flipped 3 bits flipped

  10. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped 2 bits flipped 3 bits flipped

  11. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash 3 bits flipped

  12. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable

  13. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable Kind of useless for Rowhammer

  14. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable Rowhammer on ECC memory is a mere DoS attack!

  15. It is hard (and dangerous) to get 3 bit flips Probability of X bits to be flipped Corrected by ECC 1 bit flipped Potentially uncorrectable 2 bits flipped machine crash Potentially uncorrectable 3 bits flipped potentially undetectable ECCploit is an upgrade from the DoS attack. ECCploit only causes undetectable bit flips

  16. Q: How to get from one bit flip to three bit flips without hitting two bit flips? 1 3

  17. A: Templating bit flips on ECC memory (ECCploit) 1. Get single bit flips 2. Combine them to cause silent corruptions (same ECC)

  18. Challenge: causing a single bit to flip

  19. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 A V 0 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A

  20. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 A V 0 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A

  21. Challenge: causing a single bit to flip 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A A: A: V 0 1 1 1 1 1 ... 1 V: 1 0 1 1 1 1 ... 1 V: 1 1 0 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A A: A: A: 1 1 1 1 1 1 ... 1 A: 1 1 1 1 1 1 ... 1 A: 1 1 1 1 1 1 ... 1 V: 1 1 1 0 1 1 ... 1 V: 1 1 1 1 0 1 ... 1 V: 1 1 1 1 1 0 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 ... 1 A: A: A:

  22. Challenge: observing a single bit flip

  23. Challenge: observing a single bit flip

  24. ECC correction is observable Word offset inside row

  25. A: Templating bit flips on ECC memory (ECCploit) 1. Get single bit flips 2. Combine them to cause silent corruptions (same ECC)

  26. Challenge: finding a suitable 3 bit flip that cause silent corruptions

  27. Challenge: finding a suitable 3 bit flip that cause silent corruptions

  28. Challenge: finding a suitable 3 bit flip that cause silent corruptions Reverse engineering the ECC implementation

  29. ECC errors reveal the ECC function Fault injection on the memory bus Cold-boot attack

  30. ECC errors reveal the ECC function Fault injection on the memory bus Cold-boot attack

  31. CPU writes data and control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 ECC bits are stored *ptr = data; ControlBits = ECC(data); next to data

  32. CPU writes data and control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 ECC bits are stored *ptr = data; ControlBits = ECC(data); next to data

  33. CPU reads data and checks control bits 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  34. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  35. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataForRAS );

  36. We can reconstruct the ECC function by observing ECC errors 1 2 3 4 64 bits of data 64 bits of data Memory C Controller 8 bits of ECC 5 6 7 8 CB_exp = ECC(data); ECC bits are stored data = *ptr; if (CB_read != CB_exp) next to data Error( DataThatWeUseForRE );

  37. ECCploit attack 1) Recover the ECC function (offline) 2) Template the memory 1) Avoid crashes by triggering only single-bit flips 2) Knowing the ECC function, combine single bit flips in undetectable bit flips 3) Massage the memory 4) Run the Exploit

  38. How long it takes to template ECC memory for Rowhammer?* *On our setup

  39. How long it takes to template ECC memory for Rowhammer?* ● If a perfect side channel (bit granularity) it takes: – 32 minutes for PTE or code change – 2 hours for the RSA key attack *On our setup

  40. How long it takes to template ECC memory for Rowhammer?* ● If a perfect side channel (bit granularity) it takes: – 32 minutes for PTE or code change – 2 hours for the RSA key attack ● If a typical side channel (word granularity) it takes: – 19 hours for PTE or code change – 3 days for RSA key attack *On our setup

  41. Error Correcting Codes: Only Slow Down Rowhammer Attacks https://vusec.net/projects/eccploit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR CORRECTING PAIR I NTRODUCTION TO C ODING T HEORY MDS CODES A CHARACTERIZATION OF MDS CODES THAT GRS CODES HAVE AN ERROR CORRECTING PAIR ECP M OTIVATION O UR GOAL ARQUEZ -C ORBELLA 1 R. P ELLIKAAN

689 views • 19 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp

Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp

Introduction to Error-correcting codes Two challenges that recently emerged Block codes vs convolutional codes Error-Correcting codes: Application of convolutional codes to Video Streaming Diego Napp Department of Mathematics, Universidad of

1.13k views • 96 slides
Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu

Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu

Codes Correcting Under- and Over-Shift Errors in Racetrack Memories Presented by: Van Khu Vu Joint work with Yeow Meng Chee, Han Mao Kiah, Alexander Vardy and Eitan Yaakobi 11th March 2019 Presented by: Van Khu Vu Codes Correcting Under- and

543 views • 26 slides
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop

Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May 11-12, 2011 1/45 CONTENTS I Error-correcting codes; the basics II Quasi-cyclic codes; codes generated by circulants III Cyclic codes

556 views • 45 slides
Quantum Error-Correcting Codes by Concatenation Markus Grassl joint work with Bei Zeng Centre

Quantum Error-Correcting Codes by Concatenation Markus Grassl joint work with Bei Zeng Centre

Quantum Error-Correcting Codes by Concatenation QEC11 Second International Conference on Quantum Error Correction University of Southern California, Los Angeles, USA December 59, 2011 Quantum Error-Correcting Codes by Concatenation Markus

1.15k views • 41 slides
Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear Codes Page 1 General Model message m Errors introduced by the noisy channel: coder changed fields in the codeword (e.g., a flipped bit)

307 views • 28 slides
Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes LAWCI Latin American Week on Coding and Information UniCamp Campinas, Brazil 2018, July 2027 Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl Markus.Grassl@mpl.mpg.de

1.27k views • 91 slides
Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl

Quantum Error-Correcting Codes LAWCI Latin American Week on Coding and Information UniCamp Campinas, Brazil 2018, July 2027 Quantum Error-Correcting Codes: Discrete Math meets Physics Markus Grassl Markus.Grassl@mpl.mpg.de

762 views • 60 slides
Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc), Iryna Andriyanova (ENSEA), Jean-Pierre Tillich (INRIA) QEC14 December the 17th, 2014 introduction The 5 qubit code Probability of error after

382 views • 35 slides
On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent

On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent

On the Triple-Error-Correcting Cyclic Codes with Zero Set t 1 , 2 i 1 , 2 j 1 Vincent Herbert 1 (Joint work with Sumanta Sarkar 2 ) IMACC 2011 1 Inria Paris-Rocquencourt, France 2 University of Calgary, Canada 1 Agenda 1

1.03k views • 29 slides
application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a

application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a

application: error correcting codes 40 Codes are all around us 41 noisy channels Goal: send a 4-bit message over a noisy communication channel. Say, 1 bit in 10 is flipped in transit, independently. What is the probability that the message

655 views • 27 slides
QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for

QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for

QEC11 Quantum Error Correction and Quantum Error-Correcting Codes Todd A. Brun Center for Quantum Information Science and Technology (CQIST) Outline 1. What is Quantum Error Correction? 2. Classical Error-Correcting Codes 3. Does Encoding Copy

811 views • 35 slides
Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu

Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu

Codes Correcting Synchronization Errors for Symbol-Pair Read Channels Presented by: Van Khu Vu(isevvk@nus.edu.sg) Joint work with Yeow Meng Chee National University of Singapore June 2020 Presented by: Van Khu Vu(isevvk@nus.edu.sg) Codes

837 views • 29 slides
Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca

Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca

Searching MDS Burst-Correcting Codes Ana Lucila Sandoval Orozco Advisor : Luis Javier Garca Villalba Department of Software Engineering and Artificial Intelligence Universidad Complutense de Madrid Linear Block Codes f : GF(2) k GF(2) n n -

347 views • 5 slides
15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ?

15-853:Algorithms in the Real World Error Correcting Codes (cont..) Scribe volunteers: ? Announcement: Scribe notes sign up, template and instructions on the course webpage 15-853 Page1 Recap: Block Codes message (m) Each message and

425 views • 25 slides
Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I? Software Engineer Technical Team Leader Author of "Idiomatic Python Performance" (Apress) Speaker @ EuroPython, PyCon UK, PySS &

320 views • 15 slides
Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of

Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of

Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of AST Nodes Robert Dyer, Hridesh Rajan, and Tien Nguyen {rdyer,hridesh,tien}@iastate.edu Iowa State University The research and educational activities

582 views • 29 slides
PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software

PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software

PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software Reliability Lab Department of Computer Science ETH Zurich Vision Statistical Programming Tool Probabilistic Model number of 15 million repositories

847 views • 35 slides
Analyzing and Supporting Adaptations of Online Code Examples Tianyi Zhang, 1 Di Yang, 2 Crista

Analyzing and Supporting Adaptations of Online Code Examples Tianyi Zhang, 1 Di Yang, 2 Crista

Analyzing and Supporting Adaptations of Online Code Examples Tianyi Zhang, 1 Di Yang, 2 Crista Lopes, 2 Miryung Kim 1 1 University of California, Los Angeles 2 University of California, Irvine Dataset and Tool:

440 views • 31 slides
Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

772 views • 50 slides
Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public source code history Audris Mockus audris@avaya.com Avaya Labs Research Basking Ridge, NJ 07920 http://mockus.org/ Why global properties of code?

559 views • 11 slides
Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

429 views • 32 slides
FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why you should use LLVM to build a JIT Common Objections (and why theyre mostly wrong) 2 WHAT IS FALCON? Falcon is an LLVM based

1.01k views • 66 slides

More recommend