rowhammer in 15
play

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an - PowerPoint PPT Presentation

Sep 16, 2022 •226 likes •338 views

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

  1. RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com

  2. Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File: http://en.wikipedia.org/wiki/Dynamic_random-access_memory#/media/File: SRAM_Cell_(6_Transistors).svg Square_array_of_mosfet_cells_read.png Google Proprietary

  3. Life of an electron SRAM DRAM Uses a lot of die space (4 to 6 Excellent storage density (1 capacitor transistors per bit) + 1 transistor per bit) Fast random access time Slow access (full row access) Static (conserve state unless powered Leaky (capacitor discharges in ~N off) ms) Used for L-1 L-2 caches Used for external memory (Synchronous DRAM) Google Proprietary

  4. Life of an electron DRAM discharge: mitigated by regular refresh ● Usually every 64ms Google Proprietary

  5. What if? You access a value too often? Bit-flip(s)! ● Including in adjacent rows Why? Nobody knows for sure ... ● Condenser discharge. Power glitch. Tunnel effect. You name it. Google Proprietary

  6. What if? Known for years for the hardware industry ● Cf. JEDEC specifications Re-discovered by software people ● https://github.com/CMU-SAFARI/rowhammer Eventually exploited by Google as a generic privilege escalation ● http://googleprojectzero.blogspot.ch/2015/03/exploiting-dram-rowhammer-bug-to-gain.html Google Proprietary

  7. Exploitation Short version ● Fill memory ● Flip a PTE bit ● Profit! Flipping fast ● CLFLUSH (userland, cannot be disabled by CRx/MSR or microcode update - as of today) Unexplored ways ● Non-temporal hints (MOVNT*) ● Other cache-control instructions (MFENCE/SFENCE, ...) Google Proprietary

  8. Exploitation The devil is in the details ● Guessing physical memory layout ● Flipping the right bit ○ Affected locations tend to be geographically stable (die defect) ● Double hammer vs. single hammer Google Proprietary

  9. Mitigations ECC + Linux MCE policy ● Can correct 1-bit and detect 2-bit errors Double refresh rate Software monitoring cache miss with perf counters pTRR / TRR: [pseudo] Targeted Row Refresh ● Specified by DDR3/DDR4 standards MAC (Maximum Activate Count) Google Proprietary

  10. TODO Other memory access vectors? ● DMA ● GPU memory ● Hidden cache-bypassing instructions? Vendor-specific mitigations? ● Dell RMT ("Reliable Memory Technology") Embedded devices? ● ARM, MIPS, PPC, microcontrollers, ... Damaging physical memory? ● http://en.wikipedia.org/wiki/Hot-carrier_injection Google Proprietary

  11. References Original research ● https://github.com/CMU-SAFARI/rowhammer Google research ● http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html ● https://github.com/google/rowhammer-test Vendor(s) statements ● http://support.lenovo.com/us/en/product_security/row_hammer ● http://azure.microsoft.com/blog/2015/03/16/microsoft-azure-uses-error-correcting-code-memory- for-enhanced-reliability-and-security/ ● http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150309- rowhammer ● http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04593978 Google Proprietary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER ROWHAMMER Bit Flip ROWHAMMER A hardware glitch Causes charge to leak in DRAM DRAM row activations cause bit flips ROWHAMMER + NACL ROWHAMMER +

755 views • 19 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Rowhammer Plagiarized from:

Rowhammer Plagiarized from:

Rowhammer Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg Step #1: Find aggressor and victim Allocate a large chunk of memory, like 1GB Aggressors X and Y must be different rows in the same bank

261 views • 12 slides
Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] Drammer: Deterministic Rowhammer

2.07k views • 192 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM DEBDEEP MUKHOPADHYA NANYANG TECHNOLOGICAL UNIVERSITY, SINGAPORE INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR Overview

362 views • 17 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel Gruss, and Yuval Yarom Presented by Erik Saathoff 11/16/2020 Motivation Rowhammer has previously only been demonstrated as a threat to DRAM

764 views • 19 slides
Mathematical Tools for the Masses Joseph Malkevitch Professor Emeritus York College (CUNY)

Mathematical Tools for the Masses Joseph Malkevitch Professor Emeritus York College (CUNY)

Mathematical Tools for the Masses Joseph Malkevitch Professor Emeritus York College (CUNY) CUNY Graduate Center Adjunct Professor Teachers College at Columbia email: jmalkevitch@york.cuny.edu Take home messages: * Developing

619 views • 45 slides
Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize

Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize

Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize expected utility in games Humans are not always rational in reality Di ffi cult to analyze rationality in all games 2 Curling Sport

421 views • 28 slides
Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis Introduction Winter Semester 2014 Slides based on: H. Seidl, R. Wilhelm, S. Hack: Compiler Design, Volume 3, Analysis and Transformation, Springer

616 views • 27 slides
Survey Design Principles Luke Kachersky, Ph.D. Why Understand beyond customer behavior

Survey Design Principles Luke Kachersky, Ph.D. Why Understand beyond customer behavior

Survey Design Principles Luke Kachersky, Ph.D. Why Understand beyond customer behavior survey? Perceptions, motives, emotions Efficient data collection Scalable deployment Conclusive Your ultimate goal Make it easy for

420 views • 37 slides
Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in

Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in

Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in Mathematics 2020-01-08 Vrije Universiteit Amsterdam Introduction Premise selection Applicative translation to FOL Monomorphizing translation to

455 views • 34 slides
Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson

Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson

Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson The big picture Many constraints in today-ML (e.g. for privacy, at-the-edge, distributed or deep) generic : integer encoding,

467 views • 8 slides
Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media

Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media

Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media Lab, NUS Singapore 1 Collaborators Prof. Shaogang Gong Dr. Timothy Hospedales 2 Outline Background Transductive Zero-Shot Action

764 views • 73 slides
an Open Source RISC-V Microarchitecture CARRV 2019 June 22 nd , 2019 - Phoenix, Arizona Abraham

an Open Source RISC-V Microarchitecture CARRV 2019 June 22 nd , 2019 - Phoenix, Arizona Abraham

Replicating and Mitigating Spectre Attacks on an Open Source RISC-V Microarchitecture CARRV 2019 June 22 nd , 2019 - Phoenix, Arizona Abraham Gonzalez , Ben Korpan, Jerry Zhao , Ed Younis Krste Asanovi University of California, Berkeley

709 views • 32 slides
Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu

Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu

Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu Robert Levine The Lambek Calculus 1 / 24 Coordination Coordination is a cross-categorial phenomenon Robert Levine The Lambek Calculus 2 / 24

1.82k views • 164 slides
The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford

The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford

The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford training data test datapoint Braque Cezanne By Braque or Cezanne? How did you accomplish this? Through previous experience. How might you get a

264 views • 25 slides
Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University July 18, 2014 1 / 21 Outline Automation for Interactive Proof Translations Evaluation Machine Learning Reconstruction Towards Qed Strength

628 views • 29 slides
Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by

Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by

Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by Anna Avallone, Giuseppina Barbieri Paolo Vitolo and Hans Weber on Algebra Universalis E. Marczewski Centennial Conference, 2007 DEFINITION A measure

595 views • 16 slides
Lecture 4 (Part 3): Hierarchical 3D Models Prof Emmanuel Agu Computer Science Dept. Worcester

Lecture 4 (Part 3): Hierarchical 3D Models Prof Emmanuel Agu Computer Science Dept. Worcester

Computer Graphics (CS 543) Lecture 4 (Part 3): Hierarchical 3D Models Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Instance Transformation Start with unique object (a symbol ) Each appearance of object

767 views • 42 slides
Fast Discriminative Component Analysis for Comparing Examples Jaakko Peltonen 1 , Jacob Goldberger

Fast Discriminative Component Analysis for Comparing Examples Jaakko Peltonen 1 , Jacob Goldberger

NIPS 2006 LCE workshop Fast Discriminative Component Analysis for Comparing Examples Jaakko Peltonen 1 , Jacob Goldberger 2 , and Samuel Kaski 1 1 Helsinki Institute for Information Technology & Adaptive Informatics Research Centre,

592 views • 58 slides

More recommend