Theory and Practice of Finding Eviction Sets

Vila, Pepe; Köpf, Boris; Morales, José F.

doi:10.1109/sp.2019.00042

Cited by 93 publications

(93 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[31,107,190] provide methods for reverse engineering DRAM address mapping such that attackers can determine the two rows that surround a victim row and hammer the victim row more effectively for causing RowHammer failures. [244] provides an algorithm for determining the eviction set of cache lines in linear time such that an attacker can maximize accesses to DRAM even when caching is unavoidable. [17] repurposes a DDR protocol analyzer with a DIMM interposer to count the activations to each row within a 64 ms interval to detect whether RowHammer occurs in any application.…”

Section: E Platforms For Studying Rowhammermentioning

confidence: 99%

RowHammer: A Retrospective

Mutlu

Kim

2020

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

158

129

View full text Add to dashboard Cite

This retrospective paper describes the RowHammer problem in Dynamic Random Access Memory (DRAM), which was initially introduced by Kim et al. at the ISCA 2014 conference [133]. RowHammer is a prime (and perhaps the first) example of how a circuit-level failure mechanism can cause a practical and widespread system security vulnerability. It is the phenomenon that repeatedly accessing a row in a modern DRAM chip causes bit flips in physically-adjacent rows at consistently predictable bit locations. RowHammer is caused by a hardware failure mechanism called DRAM disturbance errors, which is a manifestation of circuit-level cell-to-cell interference in a scaled memory technology.Researchers from Google Project Zero demonstrated in 2015 that this hardware failure mechanism can be effectively exploited by user-level programs to gain kernel privileges on real systems. Many other follow-up works demonstrated other practical attacks exploiting RowHammer. In this article, we comprehensively survey the scientific literature on RowHammer-based attacks as well as mitigation techniques to prevent RowHammer. We also discuss what other related vulnerabilities may be lurking in DRAM and other types of memories, e.g., NAND flash memory or Phase Change Memory, that can potentially threaten the foundations of secure systems, as the memory technologies scale to higher densities. We conclude by describing and advocating a principled approach to memory reliability and security research that can enable us to better anticipate and prevent such vulnerabilities.

show abstract

Section: E Platforms For Studying Rowhammermentioning

confidence: 99%

RowHammer: A Retrospective

Mutlu

Kim

2020

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

158

129

View full text Add to dashboard Cite

show abstract

“…An alternative to the high-resolution timer is a counting thread which is commonly used for microarchitectural attacks in JavaScript [29,53,80]. Furthermore, as the clflush instruction is not available in JavaScript, we resort to Evict+Reload as described in related work [29,76,90]. Instead of measuring only Table 3: We compare microarchitectural attacks on KASLR.…”

Section: Meltdown and Kaslr Break In Javascriptmentioning

confidence: 99%

KASLR: Break It, Fix It, Repeat

Canella

Schwarz

Haubenwallner

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

In this paper, we analyze the hardware-based Meltdown mitigations in recent Intel microarchitectures, revealing that illegally accessed data is only zeroed out. Hence, while non-present loads stall the CPU, illegal loads are still executed. We present EchoLoad, a novel technique to distinguish load stalls from transiently executed loads. EchoLoad allows detecting physically-backed addresses from unprivileged applications, breaking KASLR in 40 µs on the newest Meltdown-and MDS-resistant Cascade Lake microarchitecture. As EchoLoad only relies on memory loads, it runs in highly-restricted environments, e.g., SGX or JavaScript, making it the first JavaScriptbased KASLR break. Based on EchoLoad, we demonstrate the first proof-of-concept Meltdown attack from JavaScript on systems that are still broadly not patched against Meltdown, i.e., 32-bit x86 OSs. We propose FLARE, a generic mitigation against known microarchitectural KASLR breaks with negligible overhead. By mapping unused kernel addresses to a reserved page and mirroring neighboring permission bits, we make used and unused kernel memory indistinguishable, i.e., a uniform behavior across the entire kernel address space, mitigating the root cause behind microarchitectural KASLR breaks. With incomplete hardware mitigations, we propose to deploy FLARE even on recent CPUs. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

“…Then they conduct dynamic remapping to change the mapping strategy from time to time so as to bring randomness. They, however, have recently been found insecure against the state-of-the-art attacking algorithm with linear complexity [35], [40], [45]. To prevent the state-of-the-art attack, these countermeasures need an extremely frequent remapping, which will cause unacceptable performance overhead [35].…”

Section: Introductionmentioning

confidence: 99%

PhantomCache: Obfuscating Cache Conflicts with Localized Randomization

Tan¹,

Zeng²,

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Cache conflicts due to deterministic memory-tocache mapping have long been exploited to leak sensitive information such as secret keys. While randomized mapping is fully investigated for L1 caches, it still remains unresolved about how to secure a much larger last-level cache (LLC). Recent solutions periodically change the mapping strategy to disrupt the crafting of conflicted addresses, which is a critical attack procedure to exploit cache conflicts. Remapping, however, increases both miss rate and access latency. We present PhantomCache for securing an LLC with remapping-free randomized mapping. We propose a localized randomization technique to bound randomized mapping of a memory address within only a limited number of cache sets. The small randomization space offers fast set search over an LLC in a memory access. The intrinsic randomness still suffices to obfuscate conflicts and disrupt efficient exploitation of conflicted addresses. We evaluate PhantomCache against an attacker exploring the state-of-the-art attack with linear-complexity. To secure an 8-bank 16 MB 16-way LLC, PhantomCache confines randomization space of an address within 8 sets and brings only 1.20% performance degradation on individual benchmarks, 0.50% performance degradation on mixed workloads, and 0.50% storage overhead per cache line, which are 2x and 9x more efficient than the state-of-the-art solutions. Moreover, PhantomCache is solely an architectural solution and requires no software change. * Qinhan Tan and Zhihua Zeng have contributed equally and are considered to be co-first authors.

show abstract

Theory and Practice of Finding Eviction Sets

Cited by 93 publications

References 28 publications

RowHammer: A Retrospective

RowHammer: A Retrospective

KASLR: Break It, Fix It, Repeat

PhantomCache: Obfuscating Cache Conflicts with Localized Randomization

Contact Info

Product

Resources

About