Rowhammer Attacks: a Walkthrough Guide

Rowhammer Attacks: a Walkthrough Guide

Rowhammer Attacks: A Walkthrough Guide Daniel Gruss & Clementine´ Maurice, Graz University of Technology May 4, 2017 — RuhrSec 2017 www.tugraz.at Who are we Daniel Gruss PhD student @ Graz University Of Technology 7 @lavados R [email protected] Daniel Gruss & Clementine´ Maurice, Graz University of Technology 2 May 4, 2017 — RuhrSec 2017 www.tugraz.at Who are we Clementine´ Maurice PhD in computer science, Postdoc @ Graz University Of Technology 7 @BloodyTangerine R [email protected] Daniel Gruss & Clementine´ Maurice, Graz University of Technology 3 May 4, 2017 — RuhrSec 2017 www.tugraz.at Goals of this talk you get a comprehensive overview of Rowhammer attacks you can run the tools on your machine you understand what’s happening and why ! nothing here is black magic! Daniel Gruss & Clementine´ Maurice, Graz University of Technology 4 May 4, 2017 — RuhrSec 2017 www.tugraz.at Outline Background How to flip bits? How to exploit them? How to mitigate them? Conclusion Daniel Gruss & Clementine´ Maurice, Graz University of Technology 5 May 4, 2017 — RuhrSec 2017 www.tugraz.at 1. Background Daniel Gruss & Clementine´ Maurice, Graz University of Technology 6 May 4, 2017 — RuhrSec 2017 back of DIMM: rank1 channel0 front of DIMM: rank0 chip channel1 www.tugraz.at DRAM organization Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 back of DIMM: rank1 front of DIMM: rank0 chip www.tugraz.at DRAM organization channel0 channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 chip www.tugraz.at DRAM organization back of DIMM: rank1 channel0 front of DIMM: rank0 channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM organization back of DIMM: rank1 channel0 front of DIMM: rank0 chip channel1 Daniel Gruss & Clementine´ Maurice, Graz University of Technology 7 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM organization bits in cells in rows bank0 access: activate row, chip row0 copy to row buffer row1 row2 ... row 32767 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 8 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 activate ! row 1 activated 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 ! row 1 activated 11111111111111 ! row 1 copied to row buffer 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 1 11111111111111 ! row 1 activated 11111111111111 ! row 1 copied to row buffer 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 activate 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2 11111111111111 ! row 2 activated 11111111111111 ! row 2 copied to row buffer 11111111111111 ! slow (row conflict) 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 11111111111111 11111111111111 ... return 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank CPU wants to access row 2—again 11111111111111 ! row 2 already in row buffer 11111111111111 ! fast (row hit) 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 www.tugraz.at How reading from DRAM works DRAM bank 11111111111111 11111111111111 11111111111111 11111111111111 row buffer = cache ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 9 May 4, 2017 — RuhrSec 2017 cells leak faster upon proximate accesses ! Rowhammer www.tugraz.at DRAM refresh cells leak ! repetitive refresh necessary refresh ≈ reading (destructive) + writing same data again maximum interval between refreshes to guarantee data integrity Daniel Gruss & Clementine´ Maurice, Graz University of Technology 10 May 4, 2017 — RuhrSec 2017 www.tugraz.at DRAM refresh cells leak ! repetitive refresh necessary refresh ≈ reading (destructive) + writing same data again maximum interval between refreshes to guarantee data integrity cells leak faster upon proximate accesses ! Rowhammer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 10 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 activate 11111111111111 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 activate 11111111111111 ... 11111111111111 copy row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 activate 11111111111111 11111111111111 11111111111111 ... copy 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 11111111111111 11111111111111 activate 11111111111111 ... 11111111111111 copy row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at Rowhammer “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 11111111111111 bit flips in row 2! 11111111111111 1 0 1 1 1 1 1 0 1 0 1 1 1 1 11111111111111 ... 11111111111111 row buffer Daniel Gruss & Clementine´ Maurice, Graz University of Technology 11 May 4, 2017 — RuhrSec 2017 www.tugraz.at 2. How to flip bits? Daniel Gruss & Clementine´ Maurice, Graz University of Technology 12 May 4, 2017 — RuhrSec 2017 www.tugraz.at Requirements Memory accesses must be uncached: reach DRAM fast: race against the next row refresh targeted:

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    193 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us