— Onur Mutlu (@_onurmutlu_) December 13, 2018
Where many people thought that high-end servers were safe from the (unpatchable) Rowhammer bitflip vulnerability in memory chips, new research from VUSec, the security group at Vrije Universiteit Amsterdam, shows that this is not the case. Since prominent security researchers and companies have suggested that ECC provides pretty good protection [1,2,3], and exploitable bitflips on ECC memory are seen by many as the “unholy grail” for Rowhammer attacks, the new attack to reliably flip bits that completely bypass ECC protection is a major step forward in Rowhammer research.[…]
This is a 3-year-old tool, I just noticed. it. 😦
Google has created rowhammer-test to help with Rowhammer detection. Currently it works on Linux and Mac on Intel systems.
There’s also a mailing list for related discussions.
Nethammer: Inducing Rowhammer Faults through Network Requests
(Submitted on 13 May 2018)
A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. Classical fault attacks show that this assumption does not hold if the attacker has physical access. Rowhammer attacks showed that local code execution is already sufficient to break this assumption. Rowhammer exploits parasitic effects in DRAM to modify the content of a memory cell without accessing it. Instead, other memory locations are accessed at a high frequency. All Rowhammer attacks so far were local attacks, running either in a scripted language or native code. In this paper, we present Nethammer. Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios. Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We investigated Nethammer on personal computers, servers, and mobile phones. Nethammer is a security landslide, making the formerly local attack a remote attack.
What is GLitch?
GLitch is one part of our series of Rowhammer attacks. We started by breaking the EDGE browser and the cloud. Then we moved towards Android devices showing how to root them with bit flips. This time we wanted to show that also mobile phones can be attacked remotely via the browser.
Meet GLitch: the first instance of a remote Rowhammer exploit on ARM Android devices. This makes it possible for an attacker who controls a malicious website to get remote code execution on a smartphone without relying on any software bug.
You want to know what makes this attack even cooler? It is carried out by the GPU. This is the first GPU-accelerated Rowhammer attack.[…]
Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security
Physically Unclonable Functions (PUFs) have become an important and promising hardware primitive for device fingerprinting, device identification, or key storage. Intrinsic PUFs leverage components already found in existing devices, unlike extrinsic silicon PUFs, which are based on customized circuits that involve modification of hardware. In this work, we present a new type of a memory-based intrinsic PUF, which leverages the Rowhammer effect in DRAM modules – the Rowhammer PUF. Our PUF makes use of bit flips, which occur in DRAM cells due to rapid and repeated access of DRAM rows. Prior research has mainly focused on Rowhammer attacks, where the Rowhammer effect is used to illegitimately alter data stored in memory, e.g., to change page table entries or enable privilege escalation attacks. Meanwhile, this is the first work to use the Rowhammer effect in a positive context – to design a novel PUF. We extensively evaluate the Rowhammer PUF using commercial, off-the-shelf devices, not relying on custom hardware or an FPGA-based setup. The evaluation shows that the Rowhammer PUF holds required properties needed for the envisioned security applications, and could be deployed today.
WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.
The mysterious case of the Linux Page Table Isolation patches
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
TU Graz News
When rowhammer only knocks once
04 Dec 2017 | Planet Research | FoE Information, Communication & Computing
By Birgit Baustädter
Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack – and raise questions about protective mechanisms. There is a huge computer screen with a lot of words on it. In the background there are four men. The research team with Michael Schwarz (left), Daniel Gruss (second from left) and Moritz Lipp (right) as well as working group leader Stefan Mangard.“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.[…]
Hammertime: a software suite for testing, profiling and simulating the rowhammer DRAM defect. Includes the following components:
* libramses: a library that handles address translation for the entire memory stack.
* libperfev-util: a library providing a more human-friendly interface to Linux’s performance event API.
* Probes for monitoring memory access behaviour of running programs.
* Predictors that decide whether a certain memory access behaviour triggers rowhammer.
* Glue code to tie all this together and effect bit flips in memory.
* Fliptables: example profiles of rowhammer-vulnerable DRAM chips, usable by a dedicated predictor.
* Various cool tools and utilities:
+ tools/profile: a tool to test a running system’s vulnerability to rowhammer.
+ py/prettyprofile.py converts a profile output into something more human-friendly.
+ py/hammerprof.py converts a profile output into a fliptable.
+ py/common_flips.py processes multiple profile results selecting only bit flips common to all. Useful for finding bit flips that can be reliably triggered.
+ py/pyramses is a Python interface to libramses.
+ py/hammertime/ contains Python interfaces to work with profile results and fliptables.
+ py/hammertime/estimate.py is a framework for rapidly estimating Rowhammer attack effectiveness, based on exploit models and profile results.
+ ramses/tools/msys_detect.py is an interactive tool for detecting current system memory configuration.
Click on URL in tweet for article.
Wow, there are a lot of Rowhammer stories in the news recently.
Jacob Torrey has a presentation on ROWHAMMER:
[…] Earlier this year at TROOPERS I presented on how many tenets of the LangSec theories could be integrated into a modern SDLC through providing a framework for “verification-oriented programming”. This idea revolved around the notion that “to err is human, to be caught at compile-time (or as close to it as possible) divine”, and that developers are going to make mistakes, but a good SDLC should be able to catch those bugs rapidly. […]
Catalin Cimpanu has a story in Softpedia about a new use of Rowhammer:
New FFS Rowhammer Attack Hijacks Linux VMs: Attack was successful in tests against Debian and Ubuntu
Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective in compromising Linux VMs, often used for cloud hosting services. The Rowhammer attack was discovered two years ago and caused a lot of stir when researchers disclosed it because it showed how, by bombarding a row of memory cells, an attacker could reverse binary zeros into ones and vice versa. […]
“DRAMA Reverse-Engineering Tool and Side-Channel Tools
This repository contains several tools to reverse engineer the undocument DRAM addressing functions on Intel CPUs. These DRAM addressing functions uncovered a new side channel, enabling DRAMA (DRAM addressing) attacks. These attacks exploit the DRAM row buffer that is shared, even in multi-processor systems. Apart from that our attack improves Rowhammer attacks and enabled the first successful Rowhammer attacks on DDR4 memory.
The “DRAMA” paper by Pessl, Gruss, Maurice, Schwarz, and Mangard will be published at the Usenix Security Symposium 2016.”
There’s a new research paper on using Deduplication and Rowhammer against Windows. Abstract:
A Tale of Two Hammers: A Brief Rowhammer Analysis of AMD vs. Intel
Mark Lanteigne, CTO and Founder, Third I/O Inc.
This is the first addendum to Third I/O’s March 2016 Rowhammer report.
Anders Fogh has a new blog post with a concise summary of Rowhammer:
Row hammer the short summary: I resonantly realized how much stuff was published on the row hammer and how much I was missing a short summary. So I wrote one and you are now reading the result. The summary is moderately technical and is kept short with intend. I may or may not update this post – but please let me know if you think I missed something important. There will be no new results here. Short version of how dram works. […]