GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM

@inproceedings{Veen2018GuardIONPM,
  title={GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM},
  author={Victor van der Veen and Martina Lindorfer and Yanick Fratantonio and Harikrishnan Padmanabha Pillai and Giovanni Vigna and Christopher Kr{\"u}gel and Herbert Bos and Kaveh Razavi},
  booktitle={DIMVA},
  year={2018}
}
Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability. 

Detection Technique of Software-induced Rowhammer Attacks

A rowhammer attack detection technique is proposed by extracting common features of rowhAMmer attack files through a static analysis of ro Whammy attack codes.

RIP-RH: Preventing Rowhammer-based Inter-Process Attacks

RIP-RH is presented, a DRAM-aware memory allocator that allows for dynamic management of multiple user-space processes and ensures that the memory partitions belonging to individual processes are physically isolated.

ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks

ZebRAM isolates every DRAM row that contains data with guard rows that absorb any Rowhammer-induced bit flips; the only known method to protect against all forms of Rowhammer.

V0LTpwn: Attacking x86 Processor Integrity from Software

V0LTpwn is a novel hardware-oriented but software-controlled attack that affects the integrity of computation in virtually any execution mode on modern x86 processors, and represents the first attack on x86 integrity from software.

Stop! Hammer time: rethinking our approach to rowhammer mitigations

This work argues that the systems community can and must drive a fundamental change in Rowhammer mitigation techniques and proposes novel hardware primitives in the CPU's integrated memory controller that would enable a variety of efficient software defenses, offering flexible safeguards against future attacks.

Revisiting Rowhammer Attacks in Embedded Systems

This paper revisiting the exploitation approaches using the Rowhammer bug and providing an overall study of their security implications on Embedded Systems such as mobiles or tablets based on ARM architecture.

Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework

A novel expressive rowhammer attack that is capable of accumulating injected memory changes and achieving rich attack semantics is proposed, enabling proactive prevention before it causes harm.

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

This paper provides concrete evidence of the susceptibility of ECC memory to Rowhammer attacks, and describes a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors.

LightRoAD: Lightweight Rowhammer Attack Detector

This work presents LightRoad, a lightweight and flexible hardware detector for Rowhammer attacks, and proposes two variants that further extend the LightRoad security, namely LightRoad+Sec and LightRoAD+PARA.

Rowhammering Storage Devices

This work sets out to rowhammer the DRAM component of a simplified host-side FTL, issuing regular I/O requests that manage to flip bits in a way that triggers sensitive information leakage, concluding that such attacks might soon be feasible.

References

SHOWING 1-10 OF 33 REFERENCES

CAn't Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks

Detailed evaluation shows that both mitigation schemes can stop available real- world rowhammer attacks, impose virtually no run-time overhead for common user and kernel benchmarks as well as commonly used applications, and do not affect the stability of the overall system.

When good protections go bad: Exploiting anti-DoS measures to accelerate rowhammer attacks

The first rowhammer attack that overcomes all three protections when used in tandem is demonstrated, and is enabled by the recently introduced Cache Allocation Technology, a mechanism designed in part to protect virtual machines from inter-VM denial-of-service attacks.

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks

A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks.

A new approach for rowhammer attacks

  • Rui QiaoMark Seaborn
  • Computer Science
    2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
  • 2016
This paper proposes a new approach for rowhammer that is based on x86 non-temporal instructions and is much less constrained for a more challenging task: remote roWhammer attacks, i.e., triggering ro Whammer with existing, benign code.

One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation

Novel techniques to determine the physical address mapping in DRAMmodules at runtime are developed at runtime (to improve the effectiveness of double-sided row hammer attacks), methods to exhaustively hammer a large fraction of physical memory from a guest VM (to collect exploitable vulnerable bits), and innovative approaches to break Xen paravirtualized memory isolation.

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

It is shown that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses, and the first Rowhammer-based Android root exploit is presented, relying on no software vulnerability, and requiring no user permissions.

Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation

A novel practical exploit is developed, which could effectively defeat CATT and gain both root and kernel privileges, without exhausting page cache and system memory, or relying on any virtual-to-physical mapping information.

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

DRAMA attacks are introduced, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems and enables practical Rowhammer attacks on DDR4.

Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

This work shows that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses, and demonstrates a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware.

Flip Feng Shui: Hammering a Needle in the Software Stack

Flip Feng Shui (FFS) is introduced, a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way and is exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism.