JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

  title={JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms},
  author={Zane Weissman and T. Tiemann and D. Moghimi and E. Custodio and T. Eisenbarth and B. Sunar},
  journal={IACR Trans. Cryptogr. Hardw. Embed. Syst.},
After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. These heterogeneous FPGA-CPU architectures break common assumptions about isolation and security boundaries. Since the FPGA and CPU architectures share hardware resources, a new class of vulnerabilities requires us to reassess the security and dependability of these platforms. In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled on two proposed… Expand

Paper Mentions

Leaky Buddies: Cross-Component Covert Channels on Integrated CPU-GPU Systems
This work considers the potential for covert channel attacks that arise either from shared microarchitectural components (such as caches) or through shared contention domains (e.g., shared buses) and develops two reliable covert channel Attacks. Expand
A Quantitative Defense Framework against Power Attacks on Multi-tenant FPGA
  • Yukui Luo, Xiaolin Xu
  • Computer Science
  • 2020 IEEE/ACM International Conference On Computer Aided Design (ICCAD)
  • 2020
A quantitative defense framework is introduced that provides a two-fold defense method: static and dynamic frequency scaling, to manage the clock frequency of the FPGA applications and an on-chip sensor that can accurately quantify the real-time voltage drop. Expand
SoK: On the Security Challenges and Risks of Multi-Tenant FPGAs in the Cloud
Through investigating the problem of end-to-end multi-tenant FPGA deployment more comprehensively, it is revealed how these attacks actually represent only one dimension of the problem, while various open security and privacy challenges remain unaddressed. Expand
Trusted Configuration in Cloud FPGAs
This paper presents the first practical solution that, under reasonable trust assumptions, satisfies the IP protection requirement of the client and provides a bitstream sanity check to the cloud provider. Expand
Security of Cloud FPGAs: A Survey
The emerging field of cloud FPGA security is surveyed, providing a comprehensive overview of the security issues related to cloud FGPAs, and highlighting future challenges in this research area. Expand
SideLine: How Delay-Lines (May) Leak Secrets from your SoC
This work introduces SideLine, a novel side-channel vector based on delay-line components widely implemented in high-end SoCs and demonstrates that these entities can be used to perform remote power side- channel attacks. Expand
BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows
The key idea of BlockHammer is to track row activation rates using area-efficient Bloom filters, and use the tracking data to ensure that no row is ever activated rapidly enough to induce RowHammer bit-flips. Expand
Stop! Hammer time: rethinking our approach to rowhammer mitigations
This work argues that the systems community can and must drive a fundamental change in Rowhammer mitigation techniques and proposes novel hardware primitives in the CPU's integrated memory controller that would enable a variety of efficient software defenses, offering flexible safeguards against future attacks. Expand
QuantumHammer: A Practical Hybrid Attack on the LUOV Signature Scheme
This work introduces a novel hybrid attack, QuantumHammer, and demonstrates the first successful in-the-wild attack on LUOV recovering all 11K key bits with less than 4 hours of an active Rowhammer attack. Expand


FPGA-Based Remote Power Side-Channel Attacks
  • Mark Zhao, G. Suh
  • Computer Science
  • 2018 IEEE Symposium on Security and Privacy (SP)
  • 2018
This work introduces and demonstrates remote power side-channel attacks using an FPGA, showing that the common assumption that powerSideChannel attacks require specialized equipment and physical access to the victim hardware is not true for systems with an integrated FPGAs. Expand
FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES
This work shows how fault attacks can be launched within an FPGA, through software-provided bitstreams alone, and analyze and adapt an existing fault model for the Advanced Encryption Standard to match the accuracy of the fault attack. Expand
Voltage drop-based fault attacks on FPGAs using valid bitstreams
This paper reveals a security vulnerability in FPGAs that allows a valid configuration to generate severe voltage fluctuations, which crashes the FPGA within a few microseconds, and analyzes its underlying mechanism. Expand
An inside job: Remote power analysis attacks on FPGAs
This work presents a design methodology dedicated to FPGAs which allows measuring a fraction of the dynamic power consumption and develops internal sensors which are based on FPGA primitives, and transfers the internally-measured side-channel leakages outside. Expand
Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU
It is shown that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. Expand
Leakier Wires
It is shown that “long” routing wires present a new source of information leakage on FPGAs, by influencing the delay of adjacent long wires, and that the effect is measurable for both static and dynamic signals and that it can be detected using small on-board circuits. Expand
FPGA Side Channel Attacks without Physical Access
This work presents the first successful attack on an unsuspecting circuit in an FPGA using information passively obtained from neighboring long-lines, and demonstrates that the attack can recover encryption keys from AES circuits running at 10MHz, and has the capability to scale to much higher frequencies. Expand
Cross Processor Cache Attacks
The first fine grain side channel attack that works across processors is presented, for the first time the directory protocol of high efficiency CPU interconnects is targeted and the viability of the proposed covert channel is demonstrated with two new attacks. Expand
CacheZoom: How SGX Amplifies The Power of Cache Attacks
This is the first cache side-channel attack on a real system that can recover AES key recovery with a minimal number of measurements, and can successfully recover AES keys from T-Table based implementations with as few as ten measurements. Expand
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
DRAMA attacks are introduced, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems and enables practical Rowhammer attacks on DDR4. Expand