RAMBleed: Reading Bits in Memory Without Accessing Them

Kwong, Andrew; Genkin, Daniel; Gruss, Daniel; Yarom, Yuval

doi:10.1109/sp40000.2020.00020

Cited by 108 publications

(91 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Within only five years since its discovery, exploits based on the RowHammer vulnerability [51] have spread to almost every type of computing system [71], [72]. Personal computers [14], [27], [28], [81], [88], cloud servers [23], [33], [54], [77], [79], [89], [96], and mobile phones [25], [91], [92] have all fallen victim to attacks with RowHammer bit flips triggered from native code [12], [23], [27], [33], [77]- [79], [81], [96], JavaScript in the browser [14], [25], [28], [81] and even remote clients across the network [66], [89]. From an academic demonstration, the RowHammer vulnerability has evolved into a major security vulnerability for the entire industry.…”

Section: Introductionmentioning

confidence: 99%

TRRespass: Exploiting the Many Sides of Target Row Refresh

Frigo

Vannacc

Hassan

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

126

204

View full text Add to dashboard Cite

After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible for operating the TRR mechanism? Does TRR completely solve the RowHammer problem or does it have weaknesses?In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term Target Row Refresh. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4 modules.TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on present-day DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors (i.e., Samsung, Micron, and Hynix) are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art system-level RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4(X) 1 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue. 2 We turn off the in-DRAM RowHammer mitigation mechanism by disabling REFRESH commands, as we explain in Section V.

show abstract

Section: Introductionmentioning

confidence: 99%

TRRespass: Exploiting the Many Sides of Target Row Refresh

Frigo

Vannacc

Hassan

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

126

204

View full text Add to dashboard Cite

show abstract

“…This exploit requires that the victim and the adversary to operate on the same logical core. This can be achieved using taskset, which is a common assumption in similar attack settings [KGGY20].…”

Section: Assumptions On the Threat Modelmentioning

confidence: 99%

RASSLE: Return Address Stack based Side-channel LEakage

Chakraborty

Bhattacharya

Alam

et al. 2021

TCHES

View full text Add to dashboard Cite

Microarchitectural attacks on computing systems often stem from simple artefacts in the underlying architecture. In this paper, we focus on the Return Address Stack (RAS), a small hardware stack present in modern processors to reduce the branch miss penalty by storing the return addresses of each function call. The RAS is useful to handle specifically the branch predictions for the RET instructions which are not accurately predicted by the typical branch prediction units. In particular, we envisage a spy process who crafts an overflow condition in the RAS by filling it with arbitrary return addresses, and wrestles with a concurrent process to establish a timing side channel between them. We call this attack principle, RASSLE 1 (Return Address Stack based Side-channel Leakage), which an adversary can launch on modern processors by first reverse engineering the RAS using a generic methodology exploiting the established timing channel. Subsequently, we show three concrete attack scenarios: i) How a spy can establish a covert channel with another co-residing process? ii) How RASSLE can be utilized to determine the secret key of the P-384 curves in OpenSSL (v1.1.1 library)? iii) How an Elliptic Curve Digital Signature Algorithm (ECDSA) secret key on P-256 curve of OpenSSL can be revealed using Lattice Attack on partially leaked nonces with the aid of RASSLE? In this attack, we show that the OpenSSL implementation of scalar multiplication on this curve has varying number of add-and-sub function calls, which depends on the secret scalar bits. We demonstrate through several experiments that the number of add-and-sub function calls can be used to template the secret bit, which can be picked up by the spy using the principles of RASSLE. Finally, we demonstrate a full end-to-end attack on OpenSSL ECDSA using curve parameters of curve P-256. In this part of our experiments with RASSLE, we abuse the deadline scheduler policy to attain perfect synchronization between the spy and victim, without any aid of induced synchronization from the victim code. This synchronization and timing leakage through RASSLE is sufficient to retrieve the Most Significant Bits (MSB) of the ephemeral nonces used while signature generation, from which we subsequently retrieve the secret signing key of the sender applying the Hidden Number Problem. 1RASSLE is a non-standard spelling for wrestle.

show abstract

“…There are many kinds of attacks that come under this category like the return to libc attack, jump-oriented programming attack, return-oriented programming attack, etc. [19,20].…”

Section: Kernel Layermentioning

confidence: 99%

A Review and Case Study on Android Malware: Threat Model, Attacks, Techniques and Tools

Negi

Mishra

Chaudhary

et al. 2021

JCSANDM

View full text Add to dashboard Cite

As android devices have increased in number in the past few years, the android operating system has started dominating the smartphone market. The vast spread of android across all the devices has made security an important issue as the android users continue to grow exponentially. The security of android platform has become the need of the hour in view of increase in the number of malicious apps and thus several studies have emerged to present the detection approaches. In this paper, we review the android components to propose a threat model that illustrates the possible threats that are present in the android. We also present the attack taxonomy to illustrate the possible attacks at various layers of the android architecture. Experiments demonstrating the feature extraction and classification using machine earning algorithms have also been performed.

show abstract

RAMBleed: Reading Bits in Memory Without Accessing Them

Cited by 108 publications

References 42 publications

TRRespass: Exploiting the Many Sides of Target Row Refresh

TRRespass: Exploiting the Many Sides of Target Row Refresh

RASSLE: Return Address Stack based Side-channel LEakage

A Review and Case Study on Android Malware: Threat Model, Attacks, Techniques and Tools

Contact Info

Product

Resources

About