Nethammer: Inducing Rowhammer Faults through Network Requests

@article{Lipp2020NethammerIR,
  title={Nethammer: Inducing Rowhammer Faults through Network Requests},
  author={Moritz Lipp and Misiker Tadesse Aga and Michael Schwarz and Daniel Gruss and Cl{\'e}mentine Maurice and Lukas Raab and Lukas Lamster},
  journal={2020 IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW)},
  year={2020},
  pages={710-719}
}
A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. [] Key Result Nethammer is a security landslide, making the formerly local attack a remote attack.

Figures and Tables from this paper

TeleHammer: A Formal Model of Implicit Rowhammer
TLDR
This paper questions the necessity of the above requirement and proposes a new class of rowhammer attacks, termed as TeleHammer, which can defeat the advanced software-only defenses, stealthy in hiding itself and hard to be mitigated.
TeleHammer : A Stealthy Cross-Boundary Rowhammer Technique
TLDR
This paper questions the necessity of the above requirement and proposes a new class of rowhammer attacks, termed as TeleHammer, which can defeat the advanced software-only defenses, stealthy in hiding itself and hard to mitigate.
Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework
TLDR
A novel expressive rowhammer attack that is capable of accumulating injected memory changes and achieving rich attack semantics is proposed, enabling proactive prevention before it causes harm.
RAMBleed: Reading Bits in Memory Without Accessing Them
TLDR
It is demonstrated that Rowhammer is a threat to not only integrity, but to confidentiality as well, by employing Rowhammer as a read side channel, and the first security implication of successfully-corrected bit flips, which were previously considered benign.
RowHammer and Beyond
We will discuss the RowHammer problem in DRAM, which is a prime (and likely the first) example of how a circuit-level failure mechanism in Dynamic Random Access Memory (DRAM) can cause a practical
Triggering Rowhammer Hardware Faults on ARM: A Revisit
TLDR
A thorough study of the unprivileged ARMv8-A cache maintenance instructions is provided and two previously overlooked reasons to support their use in rowhammer attacks are given and a previously undiscovered instruction is presented that can be exploited to trigger the roWhammer bug on many ARM-based devices.
Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers
TLDR
An instruction sequence is developed that leverages microarchitectural side-effects to "hammer" DRAM at a near-optimal rate on modern Intel Skylake and Cascade Lake platforms and a DDR4 fault injector is designed that can reverse engineer row adjacency for any DDR4 DIMM.
RowHammer: A Retrospective
  • O. Mutlu, Jeremie S. Kim
  • Computer Science
    IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
  • 2020
TLDR
A principled approach to memory reliability and security research is described and advocated that can enable us to better anticipate and prevent vulnerabilities in DRAM and other types of memories, as the memory technologies scale to higher densities.
FIPAC: Thwarting Fault- and Software-Induced Control-Flow Attacks with ARM Pointer Authentication
TLDR
FIPAC is an efficient software-based CFI scheme protecting the execution at basic block granularity of upcoming ARM-based devices against software and fault attacks and outperforms related work protecting the control-flow against fault attacks.
One Covert Channel to Rule Them All: A Practical Approach to Data Exfiltration in the Cloud
TLDR
The proposed implementation shows that x86 microarchitectures still present salient vulnerabilities, and that state-of-the-art defence strategies-even theoretical ones—remain unsuccessful at hindering data leakage in multi-tenant environments.
...
...

References

SHOWING 1-10 OF 99 REFERENCES
Throwhammer: Rowhammer Attacks over the Network and Defenses
TLDR
This paper shows that an attacker can trigger and exploit Rowhammer bit flips directly from a remote machine by only sending network packets, and proposes protecting unmodified applications with a new buffer allocator that is capable of fine-grained memory isolation in the DRAM address space.
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
TLDR
A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks.
Another Flip in the Wall of Rowhammer Defenses
TLDR
Novel Rowhammer attack and exploitation primitives are presented, showing that even a combination of all defenses is ineffective, and a new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug.
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
TLDR
This work shows that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses, and demonstrates a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware.
SGX-Bomb: Locking Down the Processor via Rowhammer Attack
TLDR
The SGX-Bomb attack that launches the Rowhammer attack against enclave memory to trigger the processor lockdown is introduced, a serious threat especially to the public cloud providers who are supposed to run unknown enclave programs received from their clients, which might shut down their servers shared with other clients.
When good protections go bad: Exploiting anti-DoS measures to accelerate rowhammer attacks
TLDR
The first rowhammer attack that overcomes all three protections when used in tandem is demonstrated, and is enabled by the recently introduced Cache Allocation Technology, a mechanism designed in part to protect virtual machines from inter-VM denial-of-service attacks.
CAn't Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory
TLDR
The design and implementation of a practical and efficient software-only defense against rowhammer attacks, called CATT, is presented, which prevents the attacker from leveraging roWhammer to corrupt kernel memory from user mode.
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
TLDR
This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round.
A new approach for rowhammer attacks
  • Rui Qiao, Mark Seaborn
  • Computer Science
    2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
  • 2016
TLDR
This paper proposes a new approach for rowhammer that is based on x86 non-temporal instructions and is much less constrained for a more challenging task: remote roWhammer attacks, i.e., triggering ro Whammer with existing, benign code.
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
TLDR
It is shown that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses, and the first Rowhammer-based Android root exploit is presented, relying on no software vulnerability, and requiring no user permissions.
...
...