DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

Peter Peßl, Daniel Gruss, Clementine Lucie Noemie Maurice, Michael Schwarz, Stefan Mangard

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial.
While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.
For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.
In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.
In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.

We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated.
Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.
Thus, our attacks work in the most restrictive environments.
First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels.
Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.
Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.
Original languageEnglish
Title of host publicationProceedings of the 25th USENIX Security Symposium
Pages565-581
Number of pages18
ISBN (Electronic) 978 -1- 931971-32- 4
Publication statusPublished - 2016

Fingerprint

Dynamic random access storage
Program processors
Data storage equipment
Cloud computing
Computer hardware
Engineers

Cite this

Peßl, P., Gruss, D., Maurice, C. L. N., Schwarz, M., & Mangard, S. (2016). DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In Proceedings of the 25th USENIX Security Symposium (pp. 565-581)

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. / Peßl, Peter; Gruss, Daniel; Maurice, Clementine Lucie Noemie; Schwarz, Michael; Mangard, Stefan.

Proceedings of the 25th USENIX Security Symposium. 2016. p. 565-581.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Peßl, P, Gruss, D, Maurice, CLN, Schwarz, M & Mangard, S 2016, DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. in Proceedings of the 25th USENIX Security Symposium. pp. 565-581.
Peßl P, Gruss D, Maurice CLN, Schwarz M, Mangard S. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In Proceedings of the 25th USENIX Security Symposium. 2016. p. 565-581
Peßl, Peter ; Gruss, Daniel ; Maurice, Clementine Lucie Noemie ; Schwarz, Michael ; Mangard, Stefan. / DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. Proceedings of the 25th USENIX Security Symposium. 2016. pp. 565-581
@inproceedings{1973d03af5db4fa7a6b6ed934eff12ff,
title = "DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks",
abstract = "In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial.While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.Thus, our attacks work in the most restrictive environments.First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.",
author = "Peter Pe{\ss}l and Daniel Gruss and Maurice, {Clementine Lucie Noemie} and Michael Schwarz and Stefan Mangard",
year = "2016",
language = "English",
pages = "565--581",
booktitle = "Proceedings of the 25th USENIX Security Symposium",

}

TY - GEN

T1 - DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

AU - Peßl, Peter

AU - Gruss, Daniel

AU - Maurice, Clementine Lucie Noemie

AU - Schwarz, Michael

AU - Mangard, Stefan

PY - 2016

Y1 - 2016

N2 - In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial.While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.Thus, our attacks work in the most restrictive environments.First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.

AB - In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial.While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information.For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU.In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known.In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings.We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems.Thus, our attacks work in the most restrictive environments.First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses.Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.

M3 - Conference contribution

SP - 565

EP - 581

BT - Proceedings of the 25th USENIX Security Symposium

ER -