Article

DRAMA: exploiting dram addressing for cross-cpu attacks

Authors:

Clémentine Maurice,

Michael Schwarz,

Stefan MangardAuthors Info & Claims

SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

Pages 565 - 581

Published: 10 August 2016 Publication History

Abstract

In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.

We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2 Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.

References

[1]

ADVANCED MICRO DEVICES. BIOS and Kernel Developer's Guide (BKDG) for AMD Family 15h Models 00h-0Fh Processors, 2013. URL: http://support.amd.com/TechDocs/42301_15h_Mod_00h-0Fh_BKDG.pdf.

[2]

BENGER, N., VAN DE POOL, J., SMART, N. P., AND YAROM, Y. "Ooh Aah... Just a Little Bit" : A small amount of side channel can go a long way. In Proceedings of the 16th Workshop on Cryptographic Hardware and Embedded Systems (CHES'14) (2014), pp. 75-92.

[3]

GRUSS, D., BIDNER, D., AND MANGARD, S. Practical Memory Deduplication Attacks in Sandboxed JavaScript. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS'15) (2015).

[4]

GRUSS, D., MAURICE, C., AND MANGARD, S. Rowhammer. js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA'16 (2016).

[5]

GRUSS, D., MAURICE, C., WAGNER, K., AND MANGARD, S. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA'16 (2016).

[6]

GRUSS, D., SPREITZER, R., AND MANGARD, S. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In 24th USENIX Security Symposium (USENIX Security 15) (2015), USENIX Association.

[7]

HASSAN, M., KAUSHIK, A. M., AND PATEL, H. Reverse-engineering embedded memory controllers through latency-based analysis. In Real-Time and Embedded Technology and Applications Symposium (RTAS), 2015 IEEE (2015), IEEE, pp. 297-306.

[8]

HUANG, R.-F., YANG, H.-Y., CHAO, M. C.-T., AND LIN, S.- C. Alternate hammering test for application-specific DRAMs and an industrial case study. In Proceedings of the 49th Annual Design Automation Conference (DAC'12) (2012), pp. 1012-1017.

[9]

INCI, M. S., GULMEZOGLU, B., IRAZOQUI, G., EISENBARTH, T., AND SUNAR, B. Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Cryptology ePrint Archive, Report 2015/898 (2015), 1-15.

[10]

INTEL CORPORATION. Intel® Xeon® Processor E5 v3 Product Family - Processor Specification Update. No. 330785-009US. Aug. 2015.

[11]

IRAZOQUI, G., EISENBARTH, T., AND SUNAR, B. Cross processor cache attacks. In Proceedings of the 11th ACM Symposium on Information, Computer and Communications Security (2016), ASIA CCS '16, ACM.

[12]

IRAZOQUI, G., INCI, M. S., EISENBARTH, T., AND SUNAR, B. Wait a minute! A fast, Cross-VM attack on AES. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'14) (2014).

[13]

KIM, Y., DALY, R., KIM, J., FALLIN, C., LEE, J. H., LEE, D., WILKERSON, C., LAI, K., AND MUTLU, O. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In International Symposium on Computer Architecture - ISCA (2014), pp. 361-372.

[14]

LIU, F., YAROM, Y., GE, Q., HEISER, G., AND LEE, R. B. Last-Level Cache Side-Channel Attacks are Practical. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P'15) (2015).

[15]

MAURICE, C., LE SCOUARNEC, N., NEUMANN, C., HEEN, O., AND FRANCILLON, A. Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'15) (2015).

[16]

MAURICE, C., NEUMANN, C., HEEN, O., AND FRANCILLON, A. C5: Cross-Cores Cache Covert Channel. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'15) (July 2015).

[17]

MICRON. DDR4 SDRAM. https://www.micron.com/~/media/documents/products/data-sheet/dram/ddr4/4gb_ddr4_sdram.pdf, 2014. Retrieved on February 17, 2016.

[18]

PARK, K., BAEG, S., WEN, S., AND WONG, R. Active-Precharge Hammering on a Row Induced Failure in DDR3 SDRAMs under 3x nm Technology. In Proceedings of the 2014 IEEE International Integrated Reliability Workshop Final Report (IIRW'14) (2014), pp. 82-85.

[19]

PERCIVAL, C. Cache Missing for Fun and Profit, 2005. URL: http://daemonology.net/hyperthreading-considered-harmful/.

[20]

RISTENPART, T., TROMER, E., SHACHAM, H., AND SAVAGE, S. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In ACM Conference on Computer and Communications Security - CCS (2009), ACM, pp. 199-212.

[21]

SALTAFORMAGGIO, B., XU, D., AND ZHANG, X. BusMonitor: A Hypervisor-Based Solution for Memory Bus Covert Channels. In Proceedings of the 6th European Workshop on Systems Security (EuroSec'13) (2013).

[22]

SEABORN, M. Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html, March 2015. Retrieved on June 26, 2015.

[23]

SEABORN, M. How physical addresses map to rows and banks in DRAM. http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html, May 2015. Retrieved on July 20, 2015.

[24]

SEABORN, M., AND DULLIEN, T. Test DRAM for bit flips caused by the rowhammer problem. https://github.com/google/rowhammer-test, 2015. Retrieved on July 27, 2015.

[25]

WU, Z., XU, Z., AND WANG, H. Whispers in the Hyper-space: High-bandwidth and Reliable Covert Channel Attacks inside the Cloud. IEEE/ACM Transactions on Networking (2014).

[26]

XIAO, J., XU, Z., HUANG, H., AND WANG, H. Security implications of memory deduplication in a virtualized environment. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'13) (June 2013), Ieee, pp. 1-12.

[27]

XIAO, Y., ZHANG, X., ZHANG, Y., AND TEODORESCU, M.- R. One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In 25th USENIX Security Symposium (2016).

[28]

YAROM, Y., AND FALKNER, K. Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23th USENIX Security Symposium (2014).

[29]

YAROM, Y., GE, Q., LIU, F., LEE, R. B., AND HEISER, G. Mapping the Intel Last-Level Cache. Cryptology ePrint Archive, Report 2015/905 (2015), 1-12.

[30]

ZHANG, Y., JUELS, A., REITER, M. K., AND RISTENPART, T. Cross-VM side channels and their use to extract private keys. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS'12) (2012).

Cited By

Kang IWang WKim Jvan Schaik STobah YGenkin DKwong AYarom YBalzarotti DXu W(2024)SledgeHammerProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698990(1597-1614)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698990
Wang PPaccagnella RWahby RBrown FBalzarotti DXu W(2024)Bending microarchitectural weird machines towards practicalityProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698962(1099-1116)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698962
Song CKim MWang TJi HHuang JJeong IPark JNam HWi MAhn JKim NTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)TAROT: A CXL SmartNIC-Based Defense Against Multi-bit Errors by Row-Hammer AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651325(981-998)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651325
Show More Cited By

Recommendations

DRAMA: an approximate DRAM architecture for high-performance and energy-efficient deep training system
ICCAD '20: Proceedings of the 39th International Conference on Computer-Aided Design

As the density of DRAM becomes larger, the refresh overhead becomes more significant. This becomes more problematic in the systems that require large DRAM capacity, such as the training of deep neural networks (DNNs). To solve this problem, we present ...
DRAMA: Commodity DRAM Based Content Addressable Memory
Fast parallel search capabilities on large datasets provided by content addressable memories (CAM) are required across multiple application domains. However compared to RAM, CAMs feature high area overhead and power consumption, and as a result, they ...
DRAMA: An Architecture for Accelerated Processing Near Memory
Improving energy efficiency is crucial for both mobile and high-performance computing systems while a large fraction of total energy is consumed to transfer data between storage and processing units. Thus, reducing data transfers across the memory ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

August 2016

1240 pages

ISBN:9781931971324

Editors:
Thorsten Holz
Ruhr-Universtät Bochum
,
Stefan Savage
University of California, San Diego

Sponsors

Google Inc.
NSF
Microsoft: Microsoft
Facebook: Facebook
CISCO

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2016

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kang IWang WKim Jvan Schaik STobah YGenkin DKwong AYarom YBalzarotti DXu W(2024)SledgeHammerProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698990(1597-1614)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698990
Wang PPaccagnella RWahby RBrown FBalzarotti DXu W(2024)Bending microarchitectural weird machines towards practicalityProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698962(1099-1116)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698962
Song CKim MWang TJi HHuang JJeong IPark JNam HWi MAhn JKim NTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)TAROT: A CXL SmartNIC-Based Defense Against Multi-bit Errors by Row-Hammer AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651325(981-998)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651325
Wang ZTaram MMoghimi DSwanson STullsen DZhao JCalandrino JTroncoso C(2023)NVLeakProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620616(6771-6788)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620616
Patel NMamandipoor AQuinn DAlian M(2023)XFM: Accelerated Software-Defined Far MemoryProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3623776(769-783)Online publication date: 28-Oct-2023
https://dl.acm.org/doi/10.1145/3613424.3623776
Guo YCao DXin XZhang YYang J(2023)Uncore Encore: Covert Channels Exploiting Uncore Frequency ScalingProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3614259(843-855)Online publication date: 28-Oct-2023
https://dl.acm.org/doi/10.1145/3613424.3614259
Purnal ABognar MPiessens FVerbauwhede I(2023)ShowTime: Amplifying Arbitrary CPU Timing Side ChannelsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590332(205-217)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590332
Dutta SNaghibijouybari HGupta AAbu-Ghazaleh NMarquez ABarker KSolihin YHeinrich M(2023)Spy in the GPU-box: Covert and Side Channel Attacks on Multi-GPU SystemsProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589080(1-13)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589080
Luo HOlgun AYağlıkçı ATuğrul YRhyner SCavlak MLindegger JSadrosadati MMutlu OSolihin YHeinrich M(2023)RowPress: Amplifying Read Disturbance in Modern DRAM ChipsProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589063(1-18)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589063
Jin HHe ZQiang W(2023)SpecTerminator: Blocking Speculative Side Channels Based on Instruction Classes on RISC-VACM Transactions on Architecture and Code Optimization10.1145/356605320:1(1-26)Online publication date: 10-Feb-2023
https://dl.acm.org/doi/10.1145/3566053
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents