Open AccessProceedings Article
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
Peter Pessl,Daniel Gruss,Clémentine Maurice,Michael Schwarz,Stefan Mangard +4 more
- pp 565-581
Reads0
Chats0
TLDR
In this article, the DRAM address mappings are used to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks, and a new class of attacks, DRAMA attacks, are presented.Abstract:
In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings. We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.read more
Citations
More filters
Proceedings ArticleDOI
Spectre Attacks: Exploiting Speculative Execution
Paul C. Kocher,Jann Horn,Anders Fogh,Daniel Genkin,Daniel Gruss,Werner Haas,Mike Hamburg,Moritz Lipp,Stefan Mangard,Thomas Prescher,Michael Schwarz,Yuval Yarom +11 more
TL;DR: Spectre as mentioned in this paper is a side channel attack that can leak the victim's confidential information via side channel to the adversary. And it can read arbitrary memory from a victim's process.
Book ChapterDOI
Malware Guard Extension: Using SGX to Conceal Cache Attacks
TL;DR: Intel SGX provides a mechanism that addresses this scenario and aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers.
Journal ArticleDOI
A survey of microarchitectural timing attacks and countermeasures on contemporary hardware
TL;DR: This work surveys recent attacks that exploit microarchitectural features in shared hardware, especially as they are relevant for cloud computing, and classify types of attacks according to a taxonomy of the shared resources leveraged for such attacks.
Proceedings ArticleDOI
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
Victor van der Veen,Yanick Fratantonio,Martina Lindorfer,Daniel Gruss,Clémentine Maurice,Giovanni Vigna,Herbert Bos,Kaveh Razavi,Cristiano Giuffrida +8 more
TL;DR: It is shown that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses, and the first Rowhammer-based Android root exploit is presented, relying on no software vulnerability, and requiring no user permissions.
Proceedings ArticleDOI
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Wenhao Wang,Guoxing Chen,Xiaorui Pan,Yinqian Zhang,XiaoFeng Wang,Vincent Bindschaedler,Haixu Tang,Carl A. Gunter +7 more
TL;DR: The research identifies 8 potential attack vectors of Intel SGX, and highlights the common misunderstandings about SGX memory side channels, demonstrating that high frequent AEXs can be avoided when recovering EdDSA secret key through a new page channel and fine-grained monitoring of enclave programs can be done through combining both cache and cross-enclave DRAM channels.
References
More filters
Proceedings Article
FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack
Yuval Yarom,Katrina Falkner +1 more
TL;DR: This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round.
Journal ArticleDOI
Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors
Yoongu Kim,Ross Daly,Jeremie S. Kim,Chris Fallin,Ji-Hye Lee,Donghyuk Lee,Christopher B. Wilkerson,Konrad K. Lai,Onur Mutlu +8 more
TL;DR: This paper exposes the vulnerability of commodity DRAM chips to disturbance errors, and shows that it is possible to corrupt data in nearby addresses by reading from the same address in DRAM by activating the same row inDRAM.
Proceedings ArticleDOI
Last-Level Cache Side-Channel Attacks are Practical
TL;DR: This work presents an effective implementation of the Prime+Probe side-channel attack against the last-level cache of GnuPG, and achieves a high attack resolution without relying on weaknesses in the OS or virtual machine monitor or on sharing memory between attacker and victim.
Proceedings ArticleDOI
Cross-VM side channels and their use to extract private keys
TL;DR: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victims using the most recent version of the libgcrypt cryptographic library.
Book ChapterDOI
Flush+Flush: A Fast and Stealthy Cache Attack
TL;DR: The Flush+Flush attack as mentioned in this paper uses the execution time of the flush instruction, which depends on whether data is cached or not, to reduce the number of cache misses.
Related Papers (5)
FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack
Yuval Yarom,Katrina Falkner +1 more