Projects per year
Abstract
In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial.
While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.
For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.
In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.
In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.
We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated.
Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.
Thus, our attacks work in the most restrictive environments.
First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels.
Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.
Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.
While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.
For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.
In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.
In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.
We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated.
Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.
Thus, our attacks work in the most restrictive environments.
First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels.
Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.
Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.
Original language | English |
---|---|
Title of host publication | Proceedings of the 25th USENIX Security Symposium |
Pages | 565-581 |
Number of pages | 18 |
ISBN (Electronic) | 978 -1- 931971-32- 4 |
Publication status | Published - 2016 |
Fingerprint
Dive into the research topics of 'DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks'. Together they form a unique fingerprint.Projects
- 2 Finished
-
MEMSEC - Embedded Memory Security Unit for Automotive Test Systems
1/09/14 → 31/08/17
Project: Research project
-
Matthew - Multi-entity-security using active Transmission Technology for improved - Handling of Exportable security credentials Without privacy restrictions
Hanser, C., Wenger, E., Korak, T., Groß, H., Mangard, S. & Unterluggauer, T.
1/11/13 → 31/10/16
Project: Research project