Defeating software mitigations against rowhammer: A surgical precision hammer

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

With software becoming harder to compromise due to modern defenses, attackers are increasingly looking at exploiting hardware vulnerabilities such as Rowhammer. In response, the research community has developed several software defenses to protect existing hardware against this threat. In this paper, we show that the assumptions existing software defenses make about memory addressing are inaccurate. Specifically, we show that physical address space is often not contiguously mapped to DRAM address space, allowing attackers to trigger Rowhammer corruptions despite active software defenses. We develop RAMSES, a software library modeling end-to-end memory addressing, relying on public documentation, where available, and reverse-engineered models otherwise. RAMSES improves existing software-only Rowhammer defenses and also improves attacks by orders of magnitude, as we show in our evaluation. We use RAMSES to build Hammertime, an open-source suite of tools for studying Rowhammer properties affecting attacks and defenses, which we release as open-source software.

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses
Subtitle of host publication21st International Symposium, RAID 2018, Proceedings
EditorsMichael Bailey, Sotiris Ioannidis, Manolis Stamatogiannakis, Thorsten Holz
PublisherSpringer/Verlag
Pages47-66
Number of pages20
ISBN (Electronic)9783030004705
ISBN (Print)9783030004699
DOIs
Publication statusPublished - 2018
Event21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 - Heraklion, Greece
Duration: 10 Sep 201812 Sep 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11050
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018
CountryGreece
CityHeraklion
Period10/09/1812/09/18

Fingerprint

Hammers
Physical addresses
Hardware
Data storage equipment
Software
Dynamic random access storage
Computer simulation
Attack
Open Source Software
Inaccurate
Vulnerability
Trigger
Open Source
Reverse
Evaluation
Modeling
Open source software

Keywords

  • DRAM geometry
  • Hammertime
  • Rowhammer

Cite this

Tatar, A., Giuffrida, C., Bos, H., & Razavi, K. (2018). Defeating software mitigations against rowhammer: A surgical precision hammer. In M. Bailey, S. Ioannidis, M. Stamatogiannakis, & T. Holz (Eds.), Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Proceedings (pp. 47-66). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050). Springer/Verlag. https://doi.org/10.1007/978-3-030-00470-5_3
Tatar, Andrei ; Giuffrida, Cristiano ; Bos, Herbert ; Razavi, Kaveh. / Defeating software mitigations against rowhammer : A surgical precision hammer. Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Proceedings. editor / Michael Bailey ; Sotiris Ioannidis ; Manolis Stamatogiannakis ; Thorsten Holz. Springer/Verlag, 2018. pp. 47-66 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{5a73303521da40ff848fcfcfd312139e,
title = "Defeating software mitigations against rowhammer: A surgical precision hammer",
abstract = "With software becoming harder to compromise due to modern defenses, attackers are increasingly looking at exploiting hardware vulnerabilities such as Rowhammer. In response, the research community has developed several software defenses to protect existing hardware against this threat. In this paper, we show that the assumptions existing software defenses make about memory addressing are inaccurate. Specifically, we show that physical address space is often not contiguously mapped to DRAM address space, allowing attackers to trigger Rowhammer corruptions despite active software defenses. We develop RAMSES, a software library modeling end-to-end memory addressing, relying on public documentation, where available, and reverse-engineered models otherwise. RAMSES improves existing software-only Rowhammer defenses and also improves attacks by orders of magnitude, as we show in our evaluation. We use RAMSES to build Hammertime, an open-source suite of tools for studying Rowhammer properties affecting attacks and defenses, which we release as open-source software.",
keywords = "DRAM geometry, Hammertime, Rowhammer",
author = "Andrei Tatar and Cristiano Giuffrida and Herbert Bos and Kaveh Razavi",
year = "2018",
doi = "10.1007/978-3-030-00470-5_3",
language = "English",
isbn = "9783030004699",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer/Verlag",
pages = "47--66",
editor = "Michael Bailey and Sotiris Ioannidis and Manolis Stamatogiannakis and Thorsten Holz",
booktitle = "Research in Attacks, Intrusions, and Defenses",

}

Tatar, A, Giuffrida, C, Bos, H & Razavi, K 2018, Defeating software mitigations against rowhammer: A surgical precision hammer. in M Bailey, S Ioannidis, M Stamatogiannakis & T Holz (eds), Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11050, Springer/Verlag, pp. 47-66, 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018, Heraklion, Greece, 10/09/18. https://doi.org/10.1007/978-3-030-00470-5_3

Defeating software mitigations against rowhammer : A surgical precision hammer. / Tatar, Andrei; Giuffrida, Cristiano; Bos, Herbert; Razavi, Kaveh.

Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Proceedings. ed. / Michael Bailey; Sotiris Ioannidis; Manolis Stamatogiannakis; Thorsten Holz. Springer/Verlag, 2018. p. 47-66 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11050).

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Defeating software mitigations against rowhammer

T2 - A surgical precision hammer

AU - Tatar, Andrei

AU - Giuffrida, Cristiano

AU - Bos, Herbert

AU - Razavi, Kaveh

PY - 2018

Y1 - 2018

N2 - With software becoming harder to compromise due to modern defenses, attackers are increasingly looking at exploiting hardware vulnerabilities such as Rowhammer. In response, the research community has developed several software defenses to protect existing hardware against this threat. In this paper, we show that the assumptions existing software defenses make about memory addressing are inaccurate. Specifically, we show that physical address space is often not contiguously mapped to DRAM address space, allowing attackers to trigger Rowhammer corruptions despite active software defenses. We develop RAMSES, a software library modeling end-to-end memory addressing, relying on public documentation, where available, and reverse-engineered models otherwise. RAMSES improves existing software-only Rowhammer defenses and also improves attacks by orders of magnitude, as we show in our evaluation. We use RAMSES to build Hammertime, an open-source suite of tools for studying Rowhammer properties affecting attacks and defenses, which we release as open-source software.

AB - With software becoming harder to compromise due to modern defenses, attackers are increasingly looking at exploiting hardware vulnerabilities such as Rowhammer. In response, the research community has developed several software defenses to protect existing hardware against this threat. In this paper, we show that the assumptions existing software defenses make about memory addressing are inaccurate. Specifically, we show that physical address space is often not contiguously mapped to DRAM address space, allowing attackers to trigger Rowhammer corruptions despite active software defenses. We develop RAMSES, a software library modeling end-to-end memory addressing, relying on public documentation, where available, and reverse-engineered models otherwise. RAMSES improves existing software-only Rowhammer defenses and also improves attacks by orders of magnitude, as we show in our evaluation. We use RAMSES to build Hammertime, an open-source suite of tools for studying Rowhammer properties affecting attacks and defenses, which we release as open-source software.

KW - DRAM geometry

KW - Hammertime

KW - Rowhammer

UR - http://www.scopus.com/inward/record.url?scp=85053930094&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85053930094&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-00470-5_3

DO - 10.1007/978-3-030-00470-5_3

M3 - Conference contribution

SN - 9783030004699

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 47

EP - 66

BT - Research in Attacks, Intrusions, and Defenses

A2 - Bailey, Michael

A2 - Ioannidis, Sotiris

A2 - Stamatogiannakis, Manolis

A2 - Holz, Thorsten

PB - Springer/Verlag

ER -

Tatar A, Giuffrida C, Bos H, Razavi K. Defeating software mitigations against rowhammer: A surgical precision hammer. In Bailey M, Ioannidis S, Stamatogiannakis M, Holz T, editors, Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Proceedings. Springer/Verlag. 2018. p. 47-66. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-00470-5_3