Projekte pro Jahr
While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.
For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.
In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.
In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.
We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated.
Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.
Thus, our attacks work in the most restrictive environments.
First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels.
Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.
Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.
|Titel||Proceedings of the 25th USENIX Security Symposium|
|ISBN (elektronisch)||978 -1- 931971-32- 4|
|Publikationsstatus||Veröffentlicht - 2016|
MEMSEC - Integration Memory Security Unit für Automotive Test Systeme.[Originaler Titel in Englisch: Embedded Memory Security Unit for Automotive Test Systems]
1/09/14 → 31/08/17
Matthew - [Original in Englisch: Multi-entity-security using active Transmission Technology for improved Handling of Exportable security credentials Without privacy restrictions (MATTHEW Project)]
Hanser, C., Wenger, E., Korak, T., Groß, H., Mangard, S. & Unterluggauer, T.
1/11/13 → 31/10/16