rowhammer
play

Rowhammer Plagiarized from: - PowerPoint PPT Presentation

Aug 20, 2022 •133 likes •261 views

Rowhammer Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg Step #1: Find aggressor and victim Allocate a large chunk of memory, like 1GB Aggressors X and Y must be different rows in the same bank

  1. Rowhammer…

  2. Plagiarized from: https://en.wikipedia.org/wiki/Row_hammer#/media/File:Row_hammer.svg

  3. Step #1: Find aggressor and victim ● Allocate a large chunk of memory, like 1GB ● Aggressors X and Y must be different rows in the same bank – DRAM row is typically >4K and <2MB – Rows in a bank activated in lockstep ● Pick X and Y as random virtual addresses – Check if hammering X and Y flips a bit in Z – If you find that Z (have to check the whole block), that’s your victim ● Hope that you can flip, e.g., the 12 th bit in a 64-bit word rather than, e.g., the 51 st ● munmap() all but these three pages (two aggressors, one victim)

  4. Step #2: Randomize physical memory ● Why? So a small change in where a PTE points will not go from one data page to another. ● Allocate a huge chunk of memory with mmap() with MAP_POPULATE ● Throughout the exploit, release a random 4KB at a time with madvise + MADV_DONTNEED

  5. Step #3: Spray physical memory with page tables ● Keep mmap()ing a file with markers in it, 2MB aligned – Why 2MB? One page table has 512 entries times 4K = 2MB – Try to have more page tables in memory than data ● When victim is released it’s likely to be a page table ● When bit is flipped new value is likely to point to a page table

  6. Step #4: Hammer time ● Check if bit flip changed a mapping in the page table to point to another page table – Only have to check the Nth page within each 2MB chunk ● If it’s not pointing to the file, then it’s likely pointing to another page table. Which one? – Can change it arbitrarily, then scan our virtual address space to fine another page that now doesn’t point to the file

  7. Step #5: Exploit ● mmap() a setuid binary, like ping – Kernel won’t set write bit in your PTE for ping’s code section – Modify your writable page table to give yourself write permissions to the physical page where ping’s code section gets cached – Execute it as root

  8. MELTDOWN...

  9. Plagiarized from: https://passlab.github.io/CSCE513/notes/lecture18_ILP_SuperscalarAdvancedARMIntel.pdf

  10. Overly simplified MELTDOWN int a[256 * cachelinesize] // cache aligned char *p = &SomethingICantReadInKernel int x = a[*p * cachelinesize] ● Side channel: whatever gets cached speculatively reveals *p

  11. What does this mean? ● Supervisor bit is useless, because microarchitectural state can be visibly changed based on speculative execution that ignores the supervisor bit ● Can no longer put the kernel at the top of the virtual address space of every process

  12. ● https://googleprojectzero.blogspot.com/2015/0 3/exploiting-dram-rowhammer-bug-to-gain.html ● https://www.usenix.org/conference/usenixsecurit y18/presentation/lipp ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER

ISOLATION ATTACKS GRAD SEC OCT 03 2017 TODAYS PAPERS ROWHAMMER ROWHAMMER ROWHAMMER ROWHAMMER Bit Flip ROWHAMMER A hardware glitch Causes charge to leak in DRAM DRAM row activations cause bit flips ROWHAMMER + NACL ROWHAMMER +

755 views • 19 slides
RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background

RowHammer: A Retrospective Jongchan Woo 11/09/2020 Outline Motivation Background Discussion (Strengths/Weaknesses) RowHammer-based Attack Mitigation Techniques Circuit-level Studies Other Works RowHammer in

382 views • 19 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms by A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] Drammer: Deterministic Rowhammer

2.07k views • 192 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM

Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SARANI BHATTACHARYA SIEW-KEI LAM DEBDEEP MUKHOPADHYA NANYANG TECHNOLOGICAL UNIVERSITY, SINGAPORE INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR Overview

362 views • 17 slides
RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

338 views • 11 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel

RAMBleed: Reading Bits in Memory Without Accessing Them Andrew Kwong, Daniel Genkin, Daniel Gruss, and Yuval Yarom Presented by Erik Saathoff 11/16/2020 Motivation Rowhammer has previously only been demonstrated as a threat to DRAM

764 views • 19 slides
Meredith L. Patterson Upstanding Hackers, Inc. LangSec@SPW May 21, 2015

Meredith L. Patterson Upstanding Hackers, Inc. LangSec@SPW May 21, 2015

Meredith L. Patterson Upstanding Hackers, Inc. LangSec@SPW May 21, 2015 https://github.com/UpstandingHackers/hammer All backends complete Packrat, GLR, LALR, LL(k), regex New combinators! h_endianness h_aligned

301 views • 5 slides
Self-Adjusting Machines Matthew A. Hammer University of Chicago Max Planck Institute for

Self-Adjusting Machines Matthew A. Hammer University of Chicago Max Planck Institute for

Self-Adjusting Machines Matthew A. Hammer University of Chicago Max Planck Institute for Software Systems Thesis Defense July 20, 2012 Chicago, IL Static Computation Versus Dynamic Computation Static Computation: Fixed Input Compute Fixed

567 views • 43 slides
Self-Adjusting Stack Machines Matthew A. Hammer Georg Neis Yan Chen Umut A. Acar Max Planck

Self-Adjusting Stack Machines Matthew A. Hammer Georg Neis Yan Chen Umut A. Acar Max Planck

Self-Adjusting Stack Machines Matthew A. Hammer Georg Neis Yan Chen Umut A. Acar Max Planck Institute for Software Systems OOPSLA 2011 October 27, 2011 Portland, Oregon, USA Static Computation Versus Dynamic Computation Static

552 views • 41 slides
Robert Hoffmann NETTAB, Biological Wikis, Naples, Italy, 2010 NETTAB, Biological Wikis, Naples,

Robert Hoffmann NETTAB, Biological Wikis, Naples, Italy, 2010 NETTAB, Biological Wikis, Naples,

Collaborative Publishing with Authorship Tracking and Reputation System - WikiGenes Collaborative Publishing with Authorship Tracking and Reputation System Robert Hoffmann NETTAB, Biological Wikis, Naples, Italy, 2010 NETTAB, Biological Wikis,

749 views • 29 slides
Candles in Context Candles in Context Not an ideal dark cloud cover, but?? 201 Trading Tactics

Candles in Context Candles in Context Not an ideal dark cloud cover, but?? 201 Trading Tactics

Candles in Context Candles in Context Not an ideal dark cloud cover, but?? 201 Trading Tactics - - Candles in Context Candles in Context Trading Tactics 1 a) What are the candle lines at the arrows at 1 and 2 ? b) Where would you be more

449 views • 20 slides
Hammer for Coq: Automation for Dependent Type Theory ukasz Czajka, University of Copenhagen

Hammer for Coq: Automation for Dependent Type Theory ukasz Czajka, University of Copenhagen

Hammer for Coq: Automation for Dependent Type Theory ukasz Czajka, University of Copenhagen Cezary Kaliszyk, University of Innsbruck 29 March 2018 http://cl-informatik.uibk.ac.at/cek/coqhammer/ 1 / 16 Interactive Proof in Type Theory

789 views • 47 slides
The HammerBlade: An ML-Optimized Supercomputer for ML and Graphs Prof. Michael B. Taylor

The HammerBlade: An ML-Optimized Supercomputer for ML and Graphs Prof. Michael B. Taylor

The HammerBlade: An ML-Optimized Supercomputer for ML and Graphs Prof. Michael B. Taylor (PI) University of Washington Prof. Adrian Sampson Prof. Luis Ceze University of Washington Cornell University Prof. Chris Batten Prof. Mark

773 views • 34 slides
CIS 4930/6930: Principles of Cyber-Physical Systems Timed Automata: A Case Study Hao Zheng

CIS 4930/6930: Principles of Cyber-Physical Systems Timed Automata: A Case Study Hao Zheng

CIS 4930/6930: Principles of Cyber-Physical Systems Timed Automata: A Case Study Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 1 / 23 A Jobshop

938 views • 35 slides
HAMMER TIME: STATIC BLOG IN RUBY by Anton Katunin @antulik Welcome, my name is Anton and today

HAMMER TIME: STATIC BLOG IN RUBY by Anton Katunin @antulik Welcome, my name is Anton and today

HAMMER TIME: STATIC BLOG IN RUBY by Anton Katunin @antulik Welcome, my name is Anton and today I will talk about static blogs in ruby THIS IS A LIGHTING TALK 5 min This is a lightning talk. All I have is 5 minutes ABOUT ME A bit out

586 views • 34 slides
to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction

Exploiting the DRAM row hammer bug to gain kernel privileges Writer : MARK SEABORN @GOOGLE Presenter : Jiwon Choi Introduction Exploit ! without exploiting software bug Row hammer repeated accesses DRAMs row DRAM chipset DRAM

932 views • 77 slides
Linked Data in Linguistics for NLP and Web Annotation http://nlp2rdf.org http://lod2.eu

Linked Data in Linguistics for NLP and Web Annotation http://nlp2rdf.org http://lod2.eu

Creating Knowledge out of Interlinked Data MultilingualWeb 2012/06/11 Dublin Page 1 MultilingualWeb http://lod2.eu Linked Data in Linguistics for NLP and Web Annotation http://nlp2rdf.org http://lod2.eu Sebastian Hellmann

210 views • 20 slides
&quot;To a man with a hammer, everything looks like a nail&quot; -Mark Twain CS314 Recursion 2

&quot;To a man with a hammer, everything looks like a nail&quot; -Mark Twain CS314 Recursion 2

Topic 12 Underneath the Hood. Introduction to Recursion &quot;To a man with a hammer, everything looks like a nail&quot; -Mark Twain CS314 Recursion 2 The Program Stack method1 and method2 // in class Mice When you invoke a method in

404 views • 13 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Number of New COVID-19 Cases in Arkansas 160 140 120 100 NUMBER OF NEW CASES 80 60 40 20

Number of New COVID-19 Cases in Arkansas 160 140 120 100 NUMBER OF NEW CASES 80 60 40 20

Number of New COVID-19 Cases in Arkansas 160 140 120 100 NUMBER OF NEW CASES 80 60 40 20 0 r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r a a a a a a a a a

242 views • 6 slides

More recommend