Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security

Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security

Physically Unclonable Functions (PUFs) have become an important and promising hardware primitive for device fingerprinting, device identification, or key storage. Intrinsic PUFs leverage components already found in existing devices, unlike extrinsic silicon PUFs, which are based on customized circuits that involve modification of hardware. In this work, we present a new type of a memory-based intrinsic PUF, which leverages the Rowhammer effect in DRAM modules – the Rowhammer PUF. Our PUF makes use of bit flips, which occur in DRAM cells due to rapid and repeated access of DRAM rows. Prior research has mainly focused on Rowhammer attacks, where the Rowhammer effect is used to illegitimately alter data stored in memory, e.g., to change page table entries or enable privilege escalation attacks. Meanwhile, this is the first work to use the Rowhammer effect in a positive context – to design a novel PUF. We extensively evaluate the Rowhammer PUF using commercial, off-the-shelf devices, not relying on custom hardware or an FPGA-based setup. The evaluation shows that the Rowhammer PUF holds required properties needed for the envisioned security applications, and could be deployed today.


The mysterious case of the Linux Page Table Isolation patches

WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.

The mysterious case of the Linux Page Table Isolation patches

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.

See-also: https://firmwaresecurity.com/2017/12/07/tu-graz-story-on-rowhammer/


TU Graz story on rowhammer

TU Graz News
When rowhammer only knocks once
04 Dec 2017 | Planet Research | FoE Information, Communication & Computing
By Birgit Baustädter
Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack – and raise questions about protective mechanisms. There is a huge computer screen with a lot of words on it. In the background there are four men. The research team with Michael Schwarz (left), Daniel Gruss (second from left) and Moritz Lipp (right) as well as working group leader Stefan Mangard.“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.[…]



There is a huge computer screen with a lot of words on it. In the background there are four men.


Hammertime: rowhammer testing/profiling/simulating suite

Hammertime: a software suite for testing, profiling and simulating the rowhammer DRAM defect. Includes the following components:
* libramses: a library that handles address translation for the entire memory stack.
* libperfev-util: a library providing a more human-friendly interface to Linux’s performance event API.
* Probes for monitoring memory access behaviour of running programs.
* Predictors that decide whether a certain memory access behaviour triggers rowhammer.
* Glue code to tie all this together and effect bit flips in memory.
* Fliptables: example profiles of rowhammer-vulnerable DRAM chips, usable by a dedicated predictor.
* Various cool tools and utilities:
+ tools/profile: a tool to test a running system’s vulnerability to rowhammer.
+ py/prettyprofile.py converts a profile output into something more human-friendly.
+ py/hammerprof.py converts a profile output into a fliptable.
+ py/common_flips.py processes multiple profile results selecting only bit flips common to all. Useful for finding bit flips that can be reliably triggered.
+ py/pyramses is a Python interface to libramses.
+ py/hammertime/ contains Python interfaces to work with profile results and fliptables.
+ py/hammertime/estimate.py is a framework for rapidly estimating Rowhammer attack effectiveness, based on exploit models and profile results.
+ ramses/tools/msys_detect.py is an interactive tool for detecting current system memory configuration.




Wow, there are a lot of Rowhammer stories in the news recently.



Drammer: Flip Feng Shui Goes Mobile





Jacob Torrey: coding in a post-Rowhammer world

Jacob Torrey has a presentation on ROWHAMMER:

[…] Earlier this year at TROOPERS I presented on how many tenets of the LangSec theories could be integrated into a modern SDLC through providing a framework for “verification-oriented programming”. This idea revolved around the notion that “to err is human, to be caught at compile-time (or as close to it as possible) divine”, and that developers are going to make mistakes, but a good SDLC should be able to catch those bugs rapidly. […]