TU Graz story on rowhammer

TU Graz News
When rowhammer only knocks once
04 Dec 2017 | Planet Research | FoE Information, Communication & Computing
By Birgit Baustädter
Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack – and raise questions about protective mechanisms. There is a huge computer screen with a lot of words on it. In the background there are four men. The research team with Michael Schwarz (left), Daniel Gruss (second from left) and Moritz Lipp (right) as well as working group leader Stefan Mangard.“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.[…]



There is a huge computer screen with a lot of words on it. In the background there are four men.


Hammertime: rowhammer testing/profiling/simulating suite

Hammertime: a software suite for testing, profiling and simulating the rowhammer DRAM defect. Includes the following components:
* libramses: a library that handles address translation for the entire memory stack.
* libperfev-util: a library providing a more human-friendly interface to Linux’s performance event API.
* Probes for monitoring memory access behaviour of running programs.
* Predictors that decide whether a certain memory access behaviour triggers rowhammer.
* Glue code to tie all this together and effect bit flips in memory.
* Fliptables: example profiles of rowhammer-vulnerable DRAM chips, usable by a dedicated predictor.
* Various cool tools and utilities:
+ tools/profile: a tool to test a running system’s vulnerability to rowhammer.
+ py/prettyprofile.py converts a profile output into something more human-friendly.
+ py/hammerprof.py converts a profile output into a fliptable.
+ py/common_flips.py processes multiple profile results selecting only bit flips common to all. Useful for finding bit flips that can be reliably triggered.
+ py/pyramses is a Python interface to libramses.
+ py/hammertime/ contains Python interfaces to work with profile results and fliptables.
+ py/hammertime/estimate.py is a framework for rapidly estimating Rowhammer attack effectiveness, based on exploit models and profile results.
+ ramses/tools/msys_detect.py is an interactive tool for detecting current system memory configuration.




Wow, there are a lot of Rowhammer stories in the news recently.



Drammer: Flip Feng Shui Goes Mobile





Jacob Torrey: coding in a post-Rowhammer world

Jacob Torrey has a presentation on ROWHAMMER:

[…] Earlier this year at TROOPERS I presented on how many tenets of the LangSec theories could be integrated into a modern SDLC through providing a framework for “verification-oriented programming”. This idea revolved around the notion that “to err is human, to be caught at compile-time (or as close to it as possible) divine”, and that developers are going to make mistakes, but a good SDLC should be able to catch those bugs rapidly. […]




New Linux VM Rowhammer attack

Catalin Cimpanu has a story in Softpedia about a new use of Rowhammer:

New FFS Rowhammer Attack Hijacks Linux VMs: Attack was successful in tests against Debian and Ubuntu

Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective in compromising Linux VMs, often used for cloud hosting services. The Rowhammer attack was discovered two years ago and caused a lot of stir when researchers disclosed it because it showed how, by bombarding a row of memory cells, an attacker could reverse binary zeros into ones and vice versa. […]




“DRAMA Reverse-Engineering Tool and Side-Channel Tools

This repository contains several tools to reverse engineer the undocument DRAM addressing functions on Intel CPUs. These DRAM addressing functions uncovered a new side channel, enabling DRAMA (DRAM addressing) attacks. These attacks exploit the DRAM row buffer that is shared, even in multi-processor systems. Apart from that our attack improves Rowhammer attacks and enabled the first successful Rowhammer attacks on DDR4 memory.

The “DRAMA” paper by Pessl, Gruss, Maurice, Schwarz, and Mangard will be published at the Usenix Security Symposium 2016.”