More Web Proxy on the site http://driver.im/

research-article

Public Access

Triggering Rowhammer Hardware Faults on ARM: A Revisit

Authors:

Daniel Balasubramanian,

Xenofon Koutsoukos,

Gabor KarsaiAuthors Info & Claims

ASHES '18: Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware Security

Pages 24 - 33

https://doi.org/10.1145/3266444.3266454

Published: 15 January 2018 Publication History

Abstract

The rowhammer bug belongs to software-induced hardware faults, and has posed great security challenges to numerous systems. On x86, many approaches to triggering the rowhammer bug have been found; yet, due to several different reasons, the number of discovered approaches on ARM is limited. In this paper, we revisit the problem of how to trigger the rowhammer bug on ARM-based devices by carefully investigating whether it is possible to translate the original x86-oriented rowhammer approaches to ARM. We provide a thorough study of the unprivileged ARMv8-A cache maintenance instructions and give two previously overlooked reasons to support their use in rowhammer attacks. Moreover, we present a previously undiscovered instruction that can be exploited to trigger the rowhammer bug on many ARM-based devices. A potential approach to quickly evicting ARM CPU caches is also discussed, and experimental evaluations are carried out to show the effectiveness of our findings.

References

[1]

Misiker Tadesse Aga, Zelalem Birhanu Aweke, and Todd Austin. 2017. When good protections go bad: Exploiting anti-DoS measures to accelerate rowhammer attacks. In 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). 8--13.

[2]

Barbara Aichinger. 2015. DDR memory errors caused by Row Hammer. In 2015 IEEE High Performance Extreme Computing Conference (HPEC). 1--5.

[3]

JEDEC Solid State Technology Association. 2017. Low Power Double Data Rate 4 (LPDDR4) .

[4]

Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. 2016. ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '16). 743--755.

Digital Library

[5]

Sarani Bhattacharya and Debdeep Mukhopadhyay. 2016. Curious case of rowhammer: flipping secret exponent bits using timing analysis. In International Conference on Cryptographic Hardware and Embedded Systems . 602--624.

[6]

Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup est machina: Memory deduplication as an advanced exploitation vector. In 2016 IEEE symposium on security and privacy (S&P). 987--1004.

[7]

Yueqiang Cheng, Zhi Zhang, Surya Nepal, and Zhi Wang. 2018. Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation. CoRR, Vol. abs/1802.07060 (2018). arxiv: 1802.07060 http://arxiv.org/abs/1802.07060

[8]

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU. In IEEE Symposium on Security and Privacy (S&P) .

[9]

Marc Green, Leandro Rodrigues-Lima, Andreas Zankl, Gorka Irazoqui, Johann Heyszl, and Thomas Eisenbarth. 2017. AutoLock: Why Cache Attacks on ARM Are Harder Than You Think. In 26th USENIX Security Symposium (USENIX Security 17). 1075--1091.

Digital Library

[10]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. 2018. Another Flip in the Wall of Rowhammer Defenses. In 2018 IEEE Symposium on Security and Privacy (S&P). 489--505.

[11]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2016. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment . 300--321.

Digital Library

[12]

Nishad Herath and Anders Fogh. 2015. These are Not Your Grand Daddy's CPU Performance Counters - CPU Hardware Performance Counters for Security. In Black Hat Briefings .

[13]

Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. 2016. MASCAT: Stopping Microarchitectural Attacks Before Execution. Cryptology ePrint Archive, Report 2016/1196. https://eprint.iacr.org/2016/1196.

[14]

Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. 2017. SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX '17). Article 5, bibinfonumpages6 pages.

Digital Library

[15]

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. In Proceeding of the 41st Annual International Symposium on Computer Architecuture (ISCA '14). 361--372.

Digital Library

[16]

Mark Lanteigne. 2016. How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware. http://www.thirdio.com/rowhammer.pdf.

[17]

ARM Limited. 2016. ARM Cortex-A53 MPCore Processor Technical Reference Manual . Revision: r0p4.

[18]

ARM Limited. 2017. ARM Architecture Reference Manual - ARMv8, for ARMv8-A architecture profile .

[19]

Moritz Lipp, Misiker Tadesse Aga, Michael Schwarz, Daniel Gruss, Clé mentine Maurice, Lukas Raab, and Lukas Lamster. 2018. Nethammer: Inducing Rowhammer Faults through Network Requests. CoRR, Vol. abs/1805.04956 (2018). arxiv: 1805.04956 http://arxiv.org/abs/1805.04956

[20]

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In 25th USENIX Security Symposium (USENIX Security 16). 549--564.

Digital Library

[21]

Mathias Payer. 2016. HexPADS: A Platform to Detect “Stealth” Attacks. In Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639 (ESSoS 2016). 138--154.

Digital Library

[22]

Rui Qiao and Mark Seaborn. 2016. A new approach for rowhammer attacks. In 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). 161--166.

[23]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In 25th USENIX Security Symposium (USENIX Security 16). 1--18.

Digital Library

[24]

Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges. In Black Hat Briefings .

[25]

Anand Lal Shimpi. 2013. Answered by the Experts: ARM's Cortex A53 Lead Architect, Peter Greenhalgh. https://www.anandtech.com/show/7591/answered-by-the-experts-arms-cortex-a53-lead-architect-peter-greenhalgh.

[26]

Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Throwhammer: Rowhammer Attacks over the Network and Defenses. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). 213--226.

Digital Library

[27]

Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). 1675--1689.

Digital Library

[28]

Victor van der Veen, Martina Lindorfer, Yanick Fratantonio, Harikrishnan Padmanabha Pillai, Giovanni Vigna, Christopher Kruegel, Herbert Bos, and Kaveh Razavi. 2018. GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 92--113.

[29]

Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In 25th USENIX Security Symposium (USENIX Security 16). 19--35.

Digital Library

[30]

Shaza Zeitouni, David Gens, and Ahmad-Reza Sadeghi. 2018. It's Hammer Time: How to Attack (Rowhammer-based) DRAM-PUFs. In Proceedings of the 55th Annual Design Automation Conference (DAC '18). 65:1--65:6.

Digital Library

[31]

Xiaokuan Zhang, Yuan Xiao, and Yinqian Zhang. 2016. Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). 858--870.

Digital Library

Cited By

Kang YGhosh SKandemir MMarquez A(2024)Impact of Write-Allocate Elimination on Fujitsu A64FXProceedings of the International Conference on High Performance Computing in Asia-Pacific Region Workshops10.1145/3636480.3637283(24-35)Online publication date: 11-Jan-2024
https://dl.acm.org/doi/10.1145/3636480.3637283
Canpolat OYağlıkçı AOlgun AYuksel ITuğrul YKanellopoulos KErgin OMutlu O(2024)BreakHammer: Enhancing RowHammer Mitigations by Carefully Throttling Suspect Threads2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO61859.2024.00072(915-934)Online publication date: 2-Nov-2024
https://doi.org/10.1109/MICRO61859.2024.00072
Bostanci FYüksel IOlgun AKanellopoulos KTuğrul YYağliçi ASadrosadati MMutlu O(2024)CoMeT: Count-Min-Sketch-based Row Tracking to Mitigate RowHammer at Low Cost2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00050(593-612)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00050
Show More Cited By

Index Terms

Triggering Rowhammer Hardware Faults on ARM: A Revisit
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security
    2. Hardware attacks and countermeasures

Recommendations

SGX-Bomb: Locking Down the Processor via Rowhammer Attack
SysTEX'17: Proceedings of the 2nd Workshop on System Software for Trusted Execution

Intel Software Guard Extensions (SGX) provides a strongly isolated memory space, known as an enclave, for a user process, ensuring confidentiality and integrity against software and hardware attacks. Even the operating system and hypervisor cannot ...
Are Timing-Based Side-Channel Attacks Feasible in Shared, Modern Computing Hardware?

This article describes how there exist various vulnerabilities in computing hardware that adversaries can exploit to mount attacks against the users of such hardware. Microarchitectural attacks, the result of these vulnerabilities, take advantage of ...
Hardware-based cyber threats: attack vectors and defence techniques

There are certain vulnerabilities associated with computing hardware that attackers can exploit to launch destructive attacks which often go undetected by the existing hardware and software countermeasures. Side channel attacks (SCAs) and Rowhammer ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASHES '18: Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware Security

October 2018

88 pages

ISBN:9781450359962

DOI:10.1145/3266444

General Chairs:
Chip Hong Chang
NTU Singapore
,
Ulrich Rührmair
Ruhr-University Bochum
,
Program Chairs:
Daniel Holcomb
UMass Amherst
,
Jorge Guajardo
Robert Bosch LLC - RTC

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 January 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 6 of 20 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
1,537
Total Downloads

Downloads (Last 12 months)484
Downloads (Last 6 weeks)64

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kang YGhosh SKandemir MMarquez A(2024)Impact of Write-Allocate Elimination on Fujitsu A64FXProceedings of the International Conference on High Performance Computing in Asia-Pacific Region Workshops10.1145/3636480.3637283(24-35)Online publication date: 11-Jan-2024
https://dl.acm.org/doi/10.1145/3636480.3637283
Canpolat OYağlıkçı AOlgun AYuksel ITuğrul YKanellopoulos KErgin OMutlu O(2024)BreakHammer: Enhancing RowHammer Mitigations by Carefully Throttling Suspect Threads2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO61859.2024.00072(915-934)Online publication date: 2-Nov-2024
https://doi.org/10.1109/MICRO61859.2024.00072
Bostanci FYüksel IOlgun AKanellopoulos KTuğrul YYağliçi ASadrosadati MMutlu O(2024)CoMeT: Count-Min-Sketch-based Row Tracking to Mitigate RowHammer at Low Cost2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00050(593-612)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00050
Yağlıkçı ATuğrul YOliveira GYüksel İOlgun ALuo HMutlu O(2024)Spatial Variation-Aware Read Disturbance Defenses: Experimental Analysis of Real DRAM Chips and Implications on Future Solutions2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00048(560-577)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00048
Olgun AOsseiran MYağlıkçı ATuğrul YLuo HRhyner SSalami BLuna JMutlu O(2024)Read Disturbance in High Bandwidth Memory: A Detailed Experimental Study on HBM2 DRAM Chips2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00022(75-89)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00022
Luo HYüksel İOlgun AYağlıkçı ASadrosadati MMutlu O(2024)An Experimental Characterization of Combined RowHammer and RowPress Read Disturbance in Modern DRAM Chips2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S60304.2024.00013(6-11)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN-S60304.2024.00013
Luo HOlgun AYağlıkçı ATuğrul YRhyner SCavlak MLindegger JSadrosadati MMutlu OSolihin YHeinrich M(2023)RowPress: Amplifying Read Disturbance in Modern DRAM ChipsProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589063(1-18)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3579371.3589063
Mutlu OOlgun AYağlıkcı ATakahashi A(2023)Fundamentally Understanding and Solving RowHammerProceedings of the 28th Asia and South Pacific Design Automation Conference10.1145/3566097.3568350(461-468)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3566097.3568350
Marazzi MSolt FJattke PTakashi KRazavi K(2023)REGA: Scalable Rowhammer Mitigation with Refresh-Generating Activations2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179327(1684-1701)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179327
Kaur ASrivastav PGhoshal B(2023)Flipping Bits Like a Pro: Precise Rowhammering on Embedded DevicesIEEE Embedded Systems Letters10.1109/LES.2023.329873715:4(218-221)Online publication date: Dec-2023
https://doi.org/10.1109/LES.2023.3298737
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents