RAMBleed: Reading bits in memory without accessing them

Andrew Kwong, Daniel Genkin, Daniel Gruss, Yuval Yarom

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem Konferenzband

Abstract

The Rowhammer bug is a reliability issue in DRAM cells that can enable an unprivileged adversary to flip the values of bits in neighboring rows on the memory module. Previous work has exploited this for various types of fault attacks across security boundaries, where the attacker flips inaccessible bits, often resulting in privilege escalation. It is widely assumed however, that bit flips within the adversary's own private memory have no security implications, as the attacker can already modify its private memory via regular write operations.We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel. More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel. Thus, the primary contribution of this work is to show that Rowhammer is a threat to not only integrity, but to confidentiality as well.Furthermore, in contrast to Rowhammer write side channels, which require persistent bit flips, our read channel succeeds even when ECC memory detects and corrects every bit flip. Thus, we demonstrate the first security implication of successfully-corrected bit flips, which were previously considered benign.To demonstrate the implications of this read side channel, we present an end-to-end attack on OpenSSH 7.9 that extracts an RSA-2048 key from the root level SSH daemon. To accomplish this, we develop novel techniques for massaging memory from user space into an exploitable state, and use the DRAM rowbuffer timing side channel to locate physically contiguous memory necessary for double-sided Rowhammering. Unlike previous Rowhammer attacks, our attack does not require the use of huge pages, and it works on Ubuntu Linux under its default configuration settings.

Originalspracheenglisch
TitelProceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
Herausgeber (Verlag)Institute of Electrical and Electronics Engineers
Seiten695-711
Seitenumfang17
ISBN (elektronisch)9781728134970
DOIs
PublikationsstatusVeröffentlicht - Mai 2020
Veranstaltung41st IEEE Symposium on Security and Privacy - Virtuell, USA / Vereinigte Staaten
Dauer: 18 Mai 202020 Mai 2020

Konferenz

Konferenz41st IEEE Symposium on Security and Privacy
KurztitelSP 2020
LandUSA / Vereinigte Staaten
OrtVirtuell
Zeitraum18/05/2020/05/20

ASJC Scopus subject areas

  • !!Safety, Risk, Reliability and Quality
  • Software
  • !!Computer Networks and Communications

Fingerprint

Untersuchen Sie die Forschungsthemen von „RAMBleed: Reading bits in memory without accessing them“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren