CSI:Rowhammer: Closing the Case of Half-Double and Beyond

Activity: Talk or presentationTalk at conference or symposiumScience to public


Rowhammer is a severe security problem in DRAM, allowing an unprivileged adversary to gain kernel privileges by inducing electrical disturbance errors. Today, mitigations against Rowhammer, most notably Targeted Row Refresh (TRR), are widely adopted and even part of recent DRAM standards.

In this talk, we first show that TRR is insufficient by design and counterintuitively assists an attacker in the context of our new Rowhammer type: Half-Double. Unlike all previous Rowhammer attacks, Half-Double hammers from a distance of two. Here, the mitigative refreshes performed by TRR amplify the hammering, breaking the spatial assumptions of state-of-the-art mitigations. We demonstrate the impact of Half-Double in an end-to-end exploit that allows an unprivileged adversary to escalate to root privileges on an off-the-shelf Chrome OS device protected by TRR and ECC. We detail the different phases of the exploit, including our novel techniques combining knowledge of the operating system internals, speculative execution, timing side channels, and blind hammering.

After a decade-long Rowhammer-related cat-and-mouse game between defenses and attacks, we propose a fundamental change, rethinking how to protect memory in a principled way. Therefore, in the second part of the talk, we present a novel approach to DRAM integrity: CSI:Rowhammer. Unlike all previous Rowhammer defenses CSI:Rowhammer makes no general assumption about the Rowhammer effect, including its temporal and spatial properties. CSI:Rowhammer combines a cryptographic MAC to ensure data integrity with hardware and software correction routines. This hardware-software co-design detects any memory corruption with cryptographical guarantees. Furthermore, with operating system and hypervisor integration, we achieve groundbreaking correction capabilities and unprecedented error handling flexibility, e.g., allowing the system to transparently correct memory errors up to the extreme case, where an unbounded amount of bitflips can be restored.
Period7 Dec 2022
Event titleBlack Hat Europe 2022
Event typeConference
LocationLondon, United KingdomShow on map
Degree of RecognitionInternational