Exploiting RowPress and RowHammer and How To Defend Against It

Activity: Talk or presentationTalk at workshop, seminar or courseScience to science

Description

Rowhammer is a vulnerability still plaguing DRAM 10 years after its discovery. With CSI:Rowhammer, we proposed a new generic approach to Rowhammer mitigations. The design idea is to not focus on any supposed characteristics of Rowhammer but to provide cryptographically secure integrity (CSI) protection for all data in the DRAM. Basing a mitigation on known vulnerability characteristics involves the risk that the mitigation can be circumvented due to new, previously unknown effects. With Rowhammer, this was the case with the discovery of one-location Rowhammer, later again with half-double Rowhammer, and just recently with RowPress. RowPress flips bits in memory, exploiting a different underlying effect than Rowhammer by keeping rows open as long as possible.

In our second paper, PressHammer, we further investigate RowPress and compare it to one-location Rowhammer. One-location Rowhammer appears to be very similar to RowPress. However, the analysis in the respective two papers come to different conclusions on the underlying effect that causes bit flips. In PressHammer, we show that actually both papers are right and one-location Rowhammer causes bit flips due to both effects simultaneously. Finally, we show the first exploit on operating system page tables using the RowPress pattern. It requries only very little knowledge about the DRAM mapping that we reverse engineer using a side channel. We can exploit a system in under 10 minutes on average.
Period16 Jul 2024
Event titleSAFARI Live Seminars
Event typeSeminar
LocationZürich, SwitzerlandShow on map
Degree of RecognitionInternational