Code available for new rowhammer research

More on this recent research:

The source is a single C++ file (not Javascript, like the Github project name hints at), built targets for Sandy/Ivy/Haswell/Skylake, works on 64-bit Linux. Usage:

# ./rowhammer[-architecture] [-t nsecs] [-p percent] [-c cores] [-d dimms] [-r row] [-f first_offset] [-s second_offset]
    ”-c” the number of cores (only important with ”#define EVICTION_BASED”)
    ”-p” percent of memory to use
    ”-d” number of dimms (very important)
    ”-r” loop only over the specified row
    ”-f” only test addresses with the specified first aggressor offset
    ”-s” only test addresses with the specified second aggressor offset



Skylake and Rowhammer


Reverse Engineering Intel DRAM Addressing and Exploitation
Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, Stefan Mangard

In this paper, we present a method to reverse engineer DRAM addressing functions based on a physical bus probing. Second, we present an automatic and generic method to reverse engineer DRAM addressing functions merely from performing a timing attack. This timing attack can be performed on any system without privileges and even in virtual machines to derive information about the mapping to physical DRAM channels, ranks and banks. We reversed the complex adressing functions on a diverse set of Intel processors and DRAM configurations. Our work enables side-channel attacks and covert channels based on inner-bank row conflicts and overlaps. Thus, our attack does not exploit the CPU as a shared resource, but only the DRAM that might even be shared across multiple CPUs. We demonstrate the power of such attacks by implementing a high speed covert channel that achieves transmission rates of up to 1.5Mb/s, which is three orders of magnitude faster than current covert channels on main memory. Finally, we show how our results can be used to increase the efficiency of the Rowhammer attack significantly by reducing the search space by a factor of up to 16384.

rowhammer and unnamed memory vendors

“We had anonymous contact offering to act as a go between between us and unnamed memory companies, with a view to paying us not release the new version of MemTest86. Who knows how serious the offer was.”