Overview
Explore the security implications of the Rowhammer bug in DRAM cells through this 16-minute IEEE conference talk. Delve into how an unprivileged adversary can exploit this reliability issue to read bits in memory without directly accessing them, challenging the assumption that bit flips in private memory are harmless. Learn about novel techniques for exploiting the data dependence between Rowhammer-induced bit flips and nearby bits, enabling the deduction of sensitive information across security boundaries. Discover how this attack method threatens both integrity and confidentiality, even in systems with ECC memory. Examine an end-to-end attack on OpenSSH 7.9, extracting an RSA-2048 key from a root-level SSH daemon, and understand the innovative approaches used to manipulate memory and locate physically contiguous areas for double-sided Rowhammering. Gain insights into the broader implications of this research for DRAM security and the need for robust countermeasures against such sophisticated attacks.
Syllabus
Introduction
How Memory Works
Row Hammer Effect
Row HammerInduced Bit Flips
Memory Layout Acquisition
Memory Allocator
OpenSSH Key Placement
Fung Shui
Reading Bits
Reading the Next Bit
EndtoEnd Attack
ECC Memory
ECC Memory Example
Conclusions
Taught by
IEEE Symposium on Security and Privacy