Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

Original languageEnglish
Title of host publication2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages55-71
Number of pages17
ISBN (Electronic)9781538666609
DOIs
Publication statusPublished - 16 Sep 2019
Event40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States
Duration: 19 May 201923 May 2019

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2019-May
ISSN (Print)1081-6011

Conference

Conference40th IEEE Symposium on Security and Privacy, SP 2019
CountryUnited States
CitySan Francisco
Period19/05/1923/05/19

Fingerprint

Data storage equipment
Hardware
Engineers
Controllers

Keywords

  • Ecc
  • Hardware
  • Rowhammer
  • Security

Cite this

Cojocar, L., Razavi, K., Giuffrida, C., & Bos, H. (2019). Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks. In 2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings (pp. 55-71). [8835222] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2019.00089
Cojocar, Lucian ; Razavi, Kaveh ; Giuffrida, Cristiano ; Bos, Herbert. / Exploiting correcting codes : On the effectiveness of ECC memory against rowhammer attacks. 2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 55-71 (Proceedings - IEEE Symposium on Security and Privacy).
@inproceedings{dc0f239861b3463e9eaecab7c65fe522,
title = "Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks",
abstract = "Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.",
keywords = "Ecc, Hardware, Rowhammer, Security",
author = "Lucian Cojocar and Kaveh Razavi and Cristiano Giuffrida and Herbert Bos",
year = "2019",
month = "9",
day = "16",
doi = "10.1109/SP.2019.00089",
language = "English",
series = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "55--71",
booktitle = "2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings",
address = "United States",

}

Cojocar, L, Razavi, K, Giuffrida, C & Bos, H 2019, Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks. in 2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings., 8835222, Proceedings - IEEE Symposium on Security and Privacy, vol. 2019-May, Institute of Electrical and Electronics Engineers Inc., pp. 55-71, 40th IEEE Symposium on Security and Privacy, SP 2019, San Francisco, United States, 19/05/19. https://doi.org/10.1109/SP.2019.00089

Exploiting correcting codes : On the effectiveness of ECC memory against rowhammer attacks. / Cojocar, Lucian; Razavi, Kaveh; Giuffrida, Cristiano; Bos, Herbert.

2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. p. 55-71 8835222 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May).

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Exploiting correcting codes

T2 - On the effectiveness of ECC memory against rowhammer attacks

AU - Cojocar, Lucian

AU - Razavi, Kaveh

AU - Giuffrida, Cristiano

AU - Bos, Herbert

PY - 2019/9/16

Y1 - 2019/9/16

N2 - Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

AB - Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

KW - Ecc

KW - Hardware

KW - Rowhammer

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85069968163&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069968163&partnerID=8YFLogxK

U2 - 10.1109/SP.2019.00089

DO - 10.1109/SP.2019.00089

M3 - Conference contribution

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 55

EP - 71

BT - 2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Cojocar L, Razavi K, Giuffrida C, Bos H. Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks. In 2019 IEEE Symposium on Security and Privacy, SP 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2019. p. 55-71. 8835222. (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SP.2019.00089