Overview
Explore the secret flaws of in-DRAM RowHammer mitigations in this 48-minute conference talk from the Hack In The Box Security Conference. Delve into the vulnerability affecting DDR3 memory chips and its evolution into DDR4. Learn how researchers reverse-engineered the Target Row Refresh (TRR) mitigation concealed within DRAM chips using FPGA-based memory controllers. Discover the implementation details, various flavors of TRR, and why RowHammer remains a persistent threat. Gain insights into creating new hammering patterns and using the RowHammer fuzzer, TRRespass. Follow the speakers' journey through DRAM architecture, exploitation techniques, software defenses, and the challenges of reverse engineering hardware security measures. Understand the implications for hardware and software security, microarchitectural attacks, and side-channel exploitation in this comprehensive exploration of RowHammer vulnerabilities and mitigations.
Syllabus
Intro
What's it about?
DRAM - Bank
Exploiting Row Hammer
Tracing via PMU
Memory separation
Limitations
Unknown geometry
Software Defenses
Double refresh rate
Defenses vol. 2
Pseudo Target Row Refresh
Timeline
Target Row Refresh (TRR)
Abstractions
Challenges
Reverse Engineering
Methodology
Case study
ONE PROBLEM SOLVED...
TRRespass: The RowFuzzer
BIT FLIPS...
Recap
Conclusions
Taught by
Hack In The Box Security Conference