Overview
Syllabus
Intro
How reading from DRAM works
Timing difference
How widespread is the issue?
Requirements
Access techniques
Physical addresses and DRAM
How to exploit random bit flips?
Strategy: Modify instructions
Page Table Entries
Page Table Manipulation
Post-Rowhammer Exploitation
Bit Flips + Page Deduplication
Mitigations
What about ECC?
Preventing Rowhammer attacks in hardware (1/3)
Preventing Rowhammer attacks in software
Detecting Rowhammer attacks
Defenses Overview
How to hammer?
Single-sided hammering
Double-sided hammering
Hammering techniques
One-location hammering
Memory-Controller Policies
How well does it work?
Opcode Flipping - Conditional Jump
Page Cache
Memory Waylaying
SGX Encrypted Memory
(Ab)using SGX Protection
Just comparing some performance numbers...
Exploiting Nethammer Bit Flips
Taught by
Black Hat