Rowhammer Attacks: A Walkthrough Guide Daniel Gruss & Clementine´ Maurice, Graz University of Technology May 4, 2017 — RuhrSec 2017 www.tugraz.at Who are we Daniel Gruss PhD student @ Graz University Of Technology 7 @lavados R [email protected] Daniel Gruss & Clementine´ Maurice, Graz University of Technology 2 May 4, 2017 — RuhrSec 2017 www.tugraz.at Who are we Clementine´ Maurice PhD in computer science, Postdoc @ Graz University Of Technology 7 @BloodyTangerine R [email protected] Daniel Gruss & Clementine´ Maurice, Graz University of Technology 3 May 4, 2017 — RuhrSec 2017 www.tugraz.at Goals of this talk you get a comprehensive overview of Rowhammer attacks you can run the tools on your machine you understand what’s happening and why ! nothing here is black magic! Daniel Gruss & Clementine´ Maurice, Graz University of Technology 4 May 4, 2017 — RuhrSec 2017 www.tugraz.at Outline Background How to flip bits? How to exploit them? How to mitigate them? Conclusion Daniel Gruss & Clementine´ Maurice, Graz University of Technology 5 May 4, 2017 — RuhrSec 2017 www.tugraz.at 1. Background Daniel Gruss & Clementine´ Maurice, Graz University of Technology 6 May 4, 2017 — RuhrSec 2017 back of DIMM: rank1 channel0 front of DIMM: rank0 chip channel1 www.tugraz.at DRAM organization Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 back of DIMM: rank1 front of DIMM: rank0 chip www.tugraz.at DRAM organization channel0 channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 chip www.tugraz.at DRAM organization back of DIMM: rank1 channel0 front of DIMM: rank0 channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM organization back of DIMM: rank1 channel0 front of DIMM: rank0 chip channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM organization bits in cells in rows bank0 access: activate row, chip row0 copy to row buffer row1 row2 ... row 32767 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 8 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 activate ! row 1 activated 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 ! row 1 activated 11111111111111 ! row 1 copied to row buffer 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 ! row 1 activated 11111111111111 ! row 1 copied to row buffer 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 activate 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 ! slow (row conflict) 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 ! fast (row hit) 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank 11111111111111 11111111111111 11111111111111 11111111111111 row buffer = cache ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 cells leak faster upon proximate accesses ! Rowhammer www.tugraz.at DRAM refresh cells leak ! repetitive refresh necessary refresh ≈ reading (destructive) + writing same data again maximum interval between refreshes to guarantee data integrity Daniel Gruss & Clementine´ Maurice, Graz University of Technology 10 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM refresh cells leak ! repetitive refresh necessary refresh ≈ reading (destructive) + writing same data again maximum interval between refreshes to guarantee data integrity cells leak faster upon proximate accesses ! Rowhammer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 10 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 activate 11111111111111 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 activate 11111111111111 ... 11111111111111 copy row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 activate 11111111111111 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 activate 11111111111111 ... 11111111111111 copy row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 bit flips in row 2! 11111111111111 1 0 1 1 1 1 1 0 1 0 1 1 1 1 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at 2. How to flip bits? Daniel Gruss & Clementine´ Maurice, Graz University of Technology 12 May 4, 2017 — RuhrSec 2017 www.tugraz.at Requirements Memory accesses must be uncached: reach DRAM fast: race against the next row refresh targeted:
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages193 Page
-
File Size-