Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests

Moritz Lipp; Michael Schwarz; Lukas Raab; Lukas Lamster; Misiker Tadesse Aga; Clementine Maurice; Daniel Gruss

doi:10.1109/EuroSPW51379.2020.00102

Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests

Moritz Lipp, Michael Schwarz, Lukas Raab, Lukas Lamster, Misiker Tadesse Aga, Clementine Maurice, Daniel Gruss

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

In this paper, we present Nethammer, a remote Rowhammer attack without a single attacker-controlled line of code on the targeted system, i.e., not even JavaScript. Nethammer works on commodity consumer-grade systems that either are protected with quality-of-service techniques like Intel CAT or that use uncached memory, flush instructions, or non-temporal instructions while handling network requests (e.g., for interaction with the network device). We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. Our evaluation showed that depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We invalidate threat models of Rowhammer defenses building upon the assumption of a local attacker. Consequently, we show that most state-of-the-art defenses have no effect on our attack. In particular, we demonstrate that target-row-refresh (TRR) implemented in DDR4 has no aggravating effect on local or remote Rowhammer attacks.

Original language	English
Title of host publication	2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
Publisher	Institute of Electrical and Electronics Engineers
Pages	710-719
Number of pages	10
ISBN (Electronic)	9781728185972
DOIs	https://doi.org/10.1109/EuroSPW51379.2020.00102
Publication status	Published - Sept 2020
Event	5th IEEE European Symposium on Security and Privacy: SILM Workshop - Virtual, Italy Duration: 7 Sept 2020 → 11 Sept 2020

Conference

Conference	5th IEEE European Symposium on Security and Privacy
Abbreviated title	EuroS&P 2020
Country/Territory	Italy
City	Virtual
Period	7/09/20 → 11/09/20

Keywords

Fault Attack
Rowhammer
TRR

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/EuroSPW51379.2020.00102

Cite this

Lipp, M., Schwarz, M., Raab, L., Lamster, L., Aga, M. T., Maurice, C., & Gruss, D. (2020). Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 710-719). Article 9229701 Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/EuroSPW51379.2020.00102

Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests. / Lipp, Moritz; Schwarz, Michael; Raab, Lukas et al.
2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). Institute of Electrical and Electronics Engineers, 2020. p. 710-719 9229701.

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Lipp, M, Schwarz, M, Raab, L, Lamster, L, Aga, MT, Maurice, C & Gruss, D 2020, Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests. in 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)., 9229701, Institute of Electrical and Electronics Engineers, pp. 710-719, 5th IEEE European Symposium on Security and Privacy, Virtual, Italy, 7/09/20. https://doi.org/10.1109/EuroSPW51379.2020.00102

@inproceedings{c3cb5cbe1fee432a925e79a78e58c1e0,

title = "Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests",

abstract = "In this paper, we present Nethammer, a remote Rowhammer attack without a single attacker-controlled line of code on the targeted system, i.e., not even JavaScript. Nethammer works on commodity consumer-grade systems that either are protected with quality-of-service techniques like Intel CAT or that use uncached memory, flush instructions, or non-temporal instructions while handling network requests (e.g., for interaction with the network device). We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. Our evaluation showed that depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We invalidate threat models of Rowhammer defenses building upon the assumption of a local attacker. Consequently, we show that most state-of-the-art defenses have no effect on our attack. In particular, we demonstrate that target-row-refresh (TRR) implemented in DDR4 has no aggravating effect on local or remote Rowhammer attacks.",

keywords = "Fault Attack, Rowhammer, TRR",

author = "Moritz Lipp and Michael Schwarz and Lukas Raab and Lukas Lamster and Aga, {Misiker Tadesse} and Clementine Maurice and Daniel Gruss",

year = "2020",

month = sep,

doi = "10.1109/EuroSPW51379.2020.00102",

language = "English",

pages = "710--719",

booktitle = "2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

note = "5th IEEE European Symposium on Security and Privacy : SILM Workshop , EuroS&P 2020 ; Conference date: 07-09-2020 Through 11-09-2020",

}

TY - GEN

T1 - Nethammer: Inducing Rowhammer Faults through Network Requests

T2 - 5th IEEE European Symposium on Security and Privacy

AU - Lipp, Moritz

AU - Schwarz, Michael

AU - Raab, Lukas

AU - Lamster, Lukas

AU - Aga, Misiker Tadesse

AU - Maurice, Clementine

AU - Gruss, Daniel

PY - 2020/9

Y1 - 2020/9

N2 - In this paper, we present Nethammer, a remote Rowhammer attack without a single attacker-controlled line of code on the targeted system, i.e., not even JavaScript. Nethammer works on commodity consumer-grade systems that either are protected with quality-of-service techniques like Intel CAT or that use uncached memory, flush instructions, or non-temporal instructions while handling network requests (e.g., for interaction with the network device). We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. Our evaluation showed that depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We invalidate threat models of Rowhammer defenses building upon the assumption of a local attacker. Consequently, we show that most state-of-the-art defenses have no effect on our attack. In particular, we demonstrate that target-row-refresh (TRR) implemented in DDR4 has no aggravating effect on local or remote Rowhammer attacks.

AB - In this paper, we present Nethammer, a remote Rowhammer attack without a single attacker-controlled line of code on the targeted system, i.e., not even JavaScript. Nethammer works on commodity consumer-grade systems that either are protected with quality-of-service techniques like Intel CAT or that use uncached memory, flush instructions, or non-temporal instructions while handling network requests (e.g., for interaction with the network device). We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. Our evaluation showed that depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We invalidate threat models of Rowhammer defenses building upon the assumption of a local attacker. Consequently, we show that most state-of-the-art defenses have no effect on our attack. In particular, we demonstrate that target-row-refresh (TRR) implemented in DDR4 has no aggravating effect on local or remote Rowhammer attacks.

KW - Fault Attack

KW - Rowhammer

KW - TRR

UR - http://www.scopus.com/inward/record.url?scp=85097050725&partnerID=8YFLogxK

U2 - 10.1109/EuroSPW51379.2020.00102

DO - 10.1109/EuroSPW51379.2020.00102

M3 - Conference paper

AN - SCOPUS:85097050725

SP - 710

EP - 719

BT - 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

PB - Institute of Electrical and Electronics Engineers

Y2 - 7 September 2020 through 11 September 2020

ER -

Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Dessnet - Dependable, secure and time-aware sensor networks

EU - SOPHIA - Securing Software against Physical Attacks

Cite this

Nethammer: Inducing Rowhammer Faults through Network Requests: Inducing Rowhammer Faults through Network Requests

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Projects

Dessnet - Dependable, secure and time-aware sensor networks

EU - SOPHIA - Securing Software against Physical Attacks

Cite this