Projects per year
Abstract
Modern DRAM is susceptible to fault attacks that undermine the entire system’s security. The most well-studied disturbance effect is Rowhammer, where an attacker repeatedly opens and closes (i.e., hammers) different rows, which can lead to bitflips in adjacent rows. Different hammering strategies include double-sided, hammering two rows sandwiching a victim row, and one-location, hammering a single row.
One-location Rowhammer requires no physical address information, as any location in memory is mapped to a DRAM row, and no relation between rows is required for hammering. The recently discovered Rowpress differs from Rowhammer by not hammering rows but keeping them open longer, evident by a disjoint set of affected memory locations.
In this paper, we examine the differences between four attack variants:
one-location Rowhammer, a one-location Rowpress variant we developed, double-sided Rowhammer, and double-sided Rowpress on a set of 12 DDR4 modules. Our methodology is to hammer and press the exact same set of physical memory locations in all attack variants. Surprisingly, our results show that on 4 out of 12 DDR4 modules, we were only able to reproduce double-sided Rowhammer but none of the other attack variants. On 2 DDR4 modules, we were able to reproduce all attack variants. We find that the number of unique bitflip locations ranges from 161 to 15 612, when hammering the exact same set of physical memory locations. Our one-location Rowhammer attack induces roughly the same
amount of bitflips as double-sided Rowhammer, however, only 61.8 % of bitflip locations overlap. We explain this by one-location Rowhammer inducing bitflips due to the Rowhammer as well as the Rowpress effect, making the differentiation of both methods difficult, therefore,
calling it Presshammer. Based on our observed bitflips, we develop the first end-to-end one-location Rowpress attack. One-location Rowpress requires only minimal physical address information that an attacker can acquire through a same-row same-bank side-channel attack. Our end-to-end attack escalates to kernel privileges within less than 10 minutes.
One-location Rowhammer requires no physical address information, as any location in memory is mapped to a DRAM row, and no relation between rows is required for hammering. The recently discovered Rowpress differs from Rowhammer by not hammering rows but keeping them open longer, evident by a disjoint set of affected memory locations.
In this paper, we examine the differences between four attack variants:
one-location Rowhammer, a one-location Rowpress variant we developed, double-sided Rowhammer, and double-sided Rowpress on a set of 12 DDR4 modules. Our methodology is to hammer and press the exact same set of physical memory locations in all attack variants. Surprisingly, our results show that on 4 out of 12 DDR4 modules, we were only able to reproduce double-sided Rowhammer but none of the other attack variants. On 2 DDR4 modules, we were able to reproduce all attack variants. We find that the number of unique bitflip locations ranges from 161 to 15 612, when hammering the exact same set of physical memory locations. Our one-location Rowhammer attack induces roughly the same
amount of bitflips as double-sided Rowhammer, however, only 61.8 % of bitflip locations overlap. We explain this by one-location Rowhammer inducing bitflips due to the Rowhammer as well as the Rowpress effect, making the differentiation of both methods difficult, therefore,
calling it Presshammer. Based on our observed bitflips, we develop the first end-to-end one-location Rowpress attack. One-location Rowpress requires only minimal physical address information that an attacker can acquire through a same-row same-bank side-channel attack. Our end-to-end attack escalates to kernel privileges within less than 10 minutes.
Original language | English |
---|---|
Title of host publication | Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) |
Publisher | Springer Vieweg |
Number of pages | 20 |
Publication status | Submitted - 17 Jul 2024 |
Event | 21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment: DIMVA 2024 - EPFL, Lausanne, Switzerland Duration: 17 Jul 2024 → 19 Jul 2024 https://www.dimva.org/dimva2024/ |
Conference
Conference | 21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment |
---|---|
Abbreviated title | DIMVA 2024 |
Country/Territory | Switzerland |
City | Lausanne |
Period | 17/07/24 → 19/07/24 |
Internet address |
Fields of Expertise
- Information, Communication & Computing
Fingerprint
Dive into the research topics of 'Presshammer: Rowhammer and Rowpress without Physical Address Information'. Together they form a unique fingerprint.Projects
- 2 Active
-
-
Special Research Area (SFB) F85 Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design
1/01/23 → 31/12/26
Project: Research project
-
Presshammer: Rowhammer and Rowpress without Physical Address Information
Jonas Juffinger (Speaker)
19 Jul 2024Activity: Talk or presentation › Talk at conference or symposium › Science to science
-
Exploiting RowPress and RowHammer and How To Defend Against It
Jonas Juffinger (Speaker)
16 Jul 2024Activity: Talk or presentation › Talk at workshop, seminar or course › Science to science