Rowhammer and Microarchitectural Attacks

Rowhammer and Microarchitectural dishonorsProblem 1 Hardw be Oriented Security and cussProblem 2 Wire slight Ne dickensrkingProblem 1IntroductionThe gagevas paper deals with Side- logical argument oncomings on brisk devices, providing a thorough categorization base on some(prenominal) factors. Side- stemma antiaircraft guns aims to extract sensitive information taking benefit of app atomic number 18ntly harmless information leakage of computing devices, both from the SW and HW point of view. Side- enrapture ardors be initi exclusivelyy categorized as dynamical or passive, looking on the level of influence and involvement the attack has on the system. The design of Softw ar and Hardwargon attacks atomic number 18 determine to sepa grade attacks that exploit, respectively, logical and strong-arm properties of a device. Also the distance of an aggressor is a relevant fixings in the analysis of Side-channel attacks. The authors distinguish among Local, Vicinity and Rem ote Side Channel Attacks, depending on how close is the assaulter to the attacked device. A comprehensive list of examples for any type of attacks is given, along with a constructive discussion on potential countermeasures.In this report, we will focus on the Rowhammer and Microarchitectural attacks that will be discussed in the fol firsting paragraphs.a) Rowhammer AttackAs miniaturization of hardw atomic number 18 architectures is pushed to a greater extent and more, the tightness of retention cells of the dram drives the size of these cells to a dramatic reduction in dimensions. For the intrinsic properties of fluid drams, this leads to a decreases in the charge of single cells and could exertion electromagnetic brace effects between cells. Rowhammer attack takes gain of this Hardw atomic number 18 vulnerability.a.i) rulerThe Rowhammer glitch takes place in a densely-populated cell hardw atomic number 18 environment allowing an assailant to modify storage cells witho ut directly accessing it. The aforementioned vulnerability in DRAM cells spate be exploited by repeatedly accessing a certain physical retrospection location until a function flips in an attached cell. A well-orchestrated Rowhammer attack could apply devastating power, even acquiring to have root privileges. Rowhammer base its strength on a dominion called Flip Feng Shui 2 where the attacker ab delectations the physical keeping allocator to strike very(prenominal) hardw are locations and ca office bits to flip in attacker-chosen sensitive data. Rowhammer good deal be both probabilistic 3 or deterministic 4. The latter shows a great impact as the lack of control of the first one could mollycoddle unintended data. The most effective Rowhammer attack is the double-sided Rowhammer 5, competent of having more flips in less clock than other approaches.a.ii) ArchitectureThe accusatory of Rowhammer attack is the DRAM. DRAM usually stores electric chargesin an array of cells, typically implemented with with(predicate) a capacitor and an access transistor. Cells are then organized in rows. Thus stock cells inherently have a particular(a) storage clock time and they have to be refreshed regularly in magnitude to keep their data. From an OS point of view, a rogue frame is the smallest fixed-length contiguous block of physical memory that maps an OS memory page. From a DRAM point of view, a page frame is just a straighta panache collection of memory cells with a fixed page size (usually 4KB). With this in mind, triggering bit flips finished Rowhammer is basically a race against the DRAM knowledgeable memory refresh scheme to have enough memory accesses and cause sufficient disturbance to adjacent rows.a.iii) discipline Set ArchitectureThe Instruction Set Architecture (ISA) is a functional itemation of a processor programming interface. It is employ to abstract over microarchitecture implementation details (e.g. pipelines, bolshie slots an d squirrel a substances) that are functionally irrelevant to a programmer. Even though it is a lot transparent, the microarchitecture incorporates a hidden state, which nates be observed in several instructions. To test whether Rowhammer john be exploited, a precise knowledge of memory cells dimension is crucial. In mobile devices, ramification processor dos the most far-flung and used microprocessor. In 4 the authors determine the minimum memory access time that still results in bit flips by hammering 5MB of physical memory while increasing the time between two read operations by means of inserting NOP instructions. The rows are all initialized to a certain value, therefrom all the changes are due to Rowhammer. Results show that up to 150 bit flips happen per minutes with around 150 ns read time.a.iv) ProcedureThe Rowhammer attack procedure is a combination of three main(prenominal) system primitivesP1. degenerate Un save upd reminiscence Access Enable attackers to activ ate alternating rows in severally bank fast enough to trigger the Rowhammer bugP2. Physical entrepot Massaging The attacker tricks the dupe segment into storing warranter-sensitive data (e.g., a page table) in an attacker-chosen, vulnerable physical memory page.P3. Physical Memory Addressing To serve double-sided Rowhammer, an attacker needs to repeatedly access specific physical memory pages. rambling devices have Direct Memory Access (DMA) mechanisms that facilitates the implementation of P1 and P3. In particular, android devices run ION, a DMA that allows user unprivileged apps to access uncached physically contiguous memory. To enforce P2 the attacker tricks the physical memory allocator built in Linux (buddy allocator) so as to partition the memory in a predictable bureau. accurately selecting the dimensions of memory chunks to allocate, memory cells dejection be exhausted with Phys Feng Shui. at a time the position of Page Table Pages (PTPs) and Page Table Entries (PT Es) is indirectly kn bear, double-sided Rowhammer is performed. formerly the desired flip triggered, write access is gained to the page table by mapping into the attacker address space. Modifying one of the attacker PTPs, any page in physical memory can be accessed, including amount of money memory.b) Microarchitectural attackThe evolution of hardware architecture lead to a wide use of cache memories. Having several levels of cache between a CPU and the main memory, dos optimizing the memory access time with respect to the clock frequency. Microarchitectural attacks take advantage of the timing behavior of caches (e.g. execution times, memory accesses) to read into sensitive information.In 6 a comprehensive watch over that presents microarchitectural attacks is given.b.i) PrincipleMicroarchitectural attacks are based on polar cache exploitations. Among them, three main modes are identified gush + Probe The attacker fills one or more sets of the cache with its own lines. Once the victim has kill, the attacker accesses its previously-loaded lines, to probe if any were evicted showing the victim have modified an address mapping the same set.Flush + recharge Its the inverse of Prime+Probe where the attacker first flushes a shared line of interest. Once the victim has executed, the attacker then reloads the evicted line by touching it, measuring the time taken. A fast reload indicates that the victim touched this line (reloading it), while a slow reload indicates that it didnt. banish + Time The attacker first tricks the victim to run, through the preload of its working set, and fall in a baseline execution time. In a second ill-treat the attacker then eliminates a line and runs the victim again. The difference in execution time indicates that the analyzed line was accessed.All microarchitectural attacks are a combination of those previously explained principles. Another noteworthy approach is ca use defense team of Service (DoS) saturating the lower- level cache bus 7..b.ii) ArchitectureAs mentioned before, microarchitectural attacks objective is the cache. Caches are organized into lines. A cache line holds a block of adjacent bytes that are taken from memory. Cache are further organized in levels. Each level has a distinguishable size and is carefully selected to fit service time to the next highest (smaller in dimension therefore faster) level. Caches can enforce either realistic or Physical addressing. In Virtual addressing, L1 cache level stores the index of virtual-to-physical addresses..b.iii) Instruction Set ArchitectureThe induction process of the internal state of the cache is a separate debate to perform devastating microarchitectural attacks. Analyzing the ISA of a cache can provide an attacker with useful information about the hardware structure. Several different states can be exploited and are briefly summarized hereThread-shared State cache stores information that are shared between threads. Accessing them could lead to performance adulteration of the involved threads.Core-shared state Analyzing L1 and L2 cache contention usage between competing threads, it is feasible to infer the encryption keys for algorithm used in internal conference (e.g. RSA, AES).Package-shared State Running a program concurrently in different cores residing in the same package, could lead to the saturation of that packages last-level cache (LLC). The saturation affects all the lower levels, exposing sensitive data.Numa-shared State Memory controllers memory in multi-core systems are exploited to enforce DoS attacks..b.iv) ProcedureA plethora of attacks are presented in 6, therefore the procedure of the Flush + Reload for humanoid systems using ARM processors 8 is discussed.The most powerful methods to perform Flush + Reload is to use the Linux System Call clflush. However it is provided by the OS on x86 systems, on mobile devices using ARM this function is not lendable. A less powerful version of it is c learcache and is used in 8.When the attack starts, the service component inside the attacker app creates a new thread,which calls into its native component to contract Flush-Reload operations in the backgroundFlush The attacker invokes clearcache to flush a function in the code section of this shared line.Flush-Reload interval The attacker waits for a fixed time for the victim to execute the function.Reload The attacker executes the function and measures the time of execution. With a small execution time, the function has been executed (from L2 cache) by some other apps (possibly the victims).In 8 the authors show that this method is capable of detecting hardware events (touchscreen interrupts, credit card scanning) and also tracing software executions paths.c) Rowhammer vs Microarchitectural attackFollowing the categorization used in 1, both Rowhammer and Microarchitectural attacks are active software attacks that exploits physical properties of the victim device. In particular R owhammer uses the coupling effect of DRAM cells while Microarchitectural attacks gather sensitive information through the analysis of cache timing. The two attacks act at two different levels while Rowhammer needs to work fast on an uncached DRAM, Microarchitectural attack objective are cache memories that are usually SRAM. Both of them can be applied to desktop and to mobile OS 48, as well as cloud environments.c) Mobile vs Desktop attacksMobile devices are inherently more vulnerable than Desktop computers. Their portability and close integration with everyday life tell on them more available to attackers. Moreover, apps are way more easy to ready on mobile devices and general carelessness helps hackers in installing despiteful software. Also, with respect to desktop computers, mobile phones have several sensors that can be exploited to gather information about users behavior. But from a OS point of view, mobile OS are way more limited than Desktop OS. Specifically, Rowhammer su ffers from the limited subset of features available in desktop environments (e.g. no encourage for huge pages, memory deduplication, MMU paravirtualization). Same limitations happens in Microarchitectural attacks for ARM , where clflush function to perform Flush + Reload is not supported.2) NAND MirroringNAND mirroring is categorized in 1 as an active local Side Channel attack that exploits physical properties out of a device chip. In particular, in 13 a NAND mirroring attack is performed on an iPhone 5c. The tri only whene of Apple iPhone 5c became an objective of study after FBI recovered such mobile device from a terrorist suspect in December 2015. As FBI was inefficient to retrieve data, NAND mirroring was suggested by Apple technology specialists as an optimal way to gain unlimited passcode attempts so as to bruteforce it. As the encryption key is not accessible from runtime code and its hardcoded in the CPU, it is impossible to brute-force the Passcode key without the acq uire at the hardware level. In iPhones such memory is a NAND winking memory. In NAND memories the cells are attached in series which reduces the cell size, further increases the number of faulty cells. For this reason, external error decryion strategies are required. To help with that, NAND memory allocates additional space for error correction data. In 13 the authors desoldered the NAND memory and mirrored it on a backup file. Although this method seems promising, several challenges were encountered by the authors, who had to balance some electrical anomalies with additional circuitry and also mechanically deal in a PCB at every attempt of bruteforcing the iPhone code. Such method could be applied to Desktop Computers, but the complexity of NAND memories would be way higher and it may unfeasible, in terms of time and complexity, to perform such attack.CountermeasuresSide-channel attacks are discovered and presented to the scientific world on a effortless basis and suitable de fense mechanisms are often not insofar implemented or cannot be simply deployed.Even though countermeasures are being studied, it looks like a race between attackers and system engineers move to make systems more secure and reliable.3.a) Rowhammer AttackCountermeasures against Rowhammer have already been exhaustively explored, but not many are actually applicable in the mobile context. Powerful functions as CLFLUSH 9 and pagemap 10 have been disabled for users apps, but Rowhammer can still be performed through JavaScript. Furthermore, analyzing the cache hits and miss could raise a flag of alarm, but methods such as 4 dont cause any miss. break correcting codes arent even that efficient in correcting bit flips. Most hardware vendors manifold the DRAM refresh rate, but results in 11 show that refresh rate would need to be improved by 8 times. Moreover, the power exercise would increase, reservation this solution not suitable for mobile devices. In Android devices Rowhammer att acks, the biggest threat is still user apps being able to access ION. Google is underdeveloped mechanisms so as to avoid it to happen in a malevolent way. One solution could be to isolate ION regions controlled by user apps from kernel memory, in order to avoid adjacent regions. But even in the absence of ION an attacker could force the buddy allocator to reserve memory in kernel memory zones by occupying all the memory available for users apps. Prevention of memory exhaustion need to be considered to avoid Rowhammer countermeasures workarounds.3.b) Microarchitectural AttackAs the final goal of microarchitectural attack is deciphering cryptographic codes (e.g. AES), a sincere approach to protect them would be to avoid having tight data-dependencies (e.g sequence of cache line accesses or branches must not depend on data). If they depend on private data, the sequence, the program is destined to leak information through the cache. The constant-time implementation of modular exponen tiation approach 12 represents a good way to fight data dependency. These are more general rules to follow, whether to combat specific attacks such as Flush + Reload in mobile devices with ARM 8. Disabling the system interfaces to flush the instruction caches, the Flush-Reload side channels can be removed entirely from ARM-based devices, but feasibility and security of this method havent been studied yet. Also, by removing system calls to have accurate time from Android could mitigate all timing side channels. Another way to fight Flush + Reload would be by preventing physical memory sharing between apps, but that would cause the memory footprint to distend and therefore exposing the system to other Sidechannel attacks.Problem 2Protocol visualizeThe proposed solution for Problem 1 is represented in Figure 1. To mold this conundrum, four moments in which the Path-centric channel assignment algorithm from 14 are identified B receives a big money on its Channel 1 and, as an interf erer is acting on Channel 1 on node A, B cant transmit. B1 is the active subnode, B2 and B3 are inactive subnodes. B switches from Channel 1 to Channel 2 (total cost 3), and forward the software program to A through Channel 2 (total cost 3+6=9). B2 is the active subnode, B1 and B3 are inactive subnodes. A2 is the active subnode, A1 and A3 are inactive subnodes. A can either transmit on Channel 2 and Channel 3, but transmit on Channel 2 is more expensive, so it switches to Channel 3 (total cost 9+3=12). A3 is the active subnode, A1 and A2 are inactive subnodes A send the packet at C through Channel 3 (total cost 12+2=14).Network ApplicationsIn our K-out-of-N system we are interested in understanding how much is a probability of get errors in sensing from N sensor, where K represent a door for accepting a reliable meter. This reasoning follows the binomial distributionIn our case at each node, errors can be induced by a false measurement (with probability ) or by channel flipping a bit during the over-the-air time (with probability ). Therefore for our N-out-of-K nodes system we haveAssuming that and are independent, the final probability of having an erroneous detection is a linear combination of the twoFor completion, the probability of a successful measurement and transmission is .Network StandardsSpectrum scarcity is a widely known problem in the world of radio receiver communications. The explosive wireless traffic increment pushes academia and industry to research novel solutions to this problem. Deploying LTE in unlicensed spectrum brings up the conflict problem of LTE-WiFi coexistence. This conflict can be analyzed with a close look at 802.11 mackintosh level. In Figure 2, a comparison between WLAN mac layer and what is casually called MAC in LTE is depicted 19.WiFi 802.11 uses CSMA/CA to regulate accesses in MAC layer. In CSMA, a node senses the traffic before transmitting over the channel. If a carrier signal is sensed in the channel, the nod e waits until its free. In particular, in CSMA/CA the backoff time of a node is exponential.In LTE, ternary access is handled through TDMA (Time Division Multiple Access) meaning that all accesses to the channel are scheduled.Historically LTE has been developed for environments with little baulk, while WiFi combats tour of duty in ISM with CSMA. Using them in the same spectrum would see LTE grand over WiFi, causing sever performance degradation in both the cases. Several solutions has been proposed and implemented in the past years. Qualcomm 15 and Huawei 16 proposed a separation in time and frequency domain. In 17 a Technology Independent Multiple-Output approach approach is presented so as to clean interfered 802.11 signals. This method was made more robust in 18 but still they relied on the fact that at least one signal from the two technologies had a clear reference. vocation demands analysis could help mitigate the performance drop due to interference, but even with an ac curate demand estimation, only one can be active at a certain time and frequency, limiting the boilers suit throughput.When interference is high, packet transmission is corrupted and error correction strategies are needed.In WiFi, standard Forward Error Correction (FEC) is used. In FEC, a circumlocution is added to the transmitted packet, so as a receiver can detect and eventually correct the wrong received bits.On the other hand, LTE uses HARQ (Hybrid-Automated Repeat reQuest) which is a combination of FEC and ARQ. In the standard implementation of ARQ, redundancy bits are embedded in the packets for error detection. When a corrupted packet is received, the receiver request a new packet to the transmitter. In HARQ, FEC codes are encoded in the packet, so as the receiver can directly correct wrong bits, when a known subset of errors is detected. If an uncorrectable error happens, the ARQ method is used to request a new packet. Hybrid ARQ performs better than ARQ in low signal cond itions, but leads to an unfavorable throughput when the signal is good.To better see this interference behavior, a small simulation has been performed using ns3, in particular the LAA-WiFi-coexistence program library 20. The scenario was built using two cells whose radio coverage overlaps. The technologies used are LTE Licensed Assisted Access (LAA) operating on EARFCN 255444 (5.180 GHz), and Wi-Fi 802.11n operating on channel 36 (5.180 GHz). Two base station positioned at 20 mt distance from another, and they both have one user connected to them at a distance of 10 mt. Both BS are connected to a backhaul lymph gland node that originates UDP in the downlink direction from client to UE(s). In Figure 3(a) and Figure 3(b), we see how the throughput and the number of packets received by the WiFi BS varies when the two BSs coverage area overlaps and when they are set-apart (e.g. their distance is 10 Km). Other scenarios were tested Figure 4 (a) represent the scenario of two WiFi BSs a nd Figure 4(b) two LTE BSs. It is possible to see the behavior of the two technologies.Table 1Throughput AThroughput BPacket loss APacket loss BDistant BSs Figure 3(a)73.78 Mbps77.55 Mbps4.6%0%Interfering BSs Figure 3(b)73.62 Mbps4.95 Mbps4.8%93%Two WiFi BSsFigure 4(a)53.45 Mbps54.41 Mbps27%25%Two LTE BSsFigure 4 (b)30.88 Mbps30.4 Mbps60%61%In Figure 4(a) we can see how the channel is split between the two BSs and the Carrier spotting Multiple Access keeps a high throughput and a low packet loss.In Figure 4(b) we can see how the interference between the two LTE cells affects the throughput and gives a high packetloss.In Table 1 results from simulations are summarized.References1 R. Spreitzer, V. Moonsamy, T. Korak, S. Mangard. dictatorial Classification of Side-Channel Attacks on Mobile Devices ArXiv20162 K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giurida, and H. Bos. Flip Feng Shui Hammering a chevy in the Software Stack. In Proceedings of the 25th USENIX Security Symposium, 2016.3 D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js A Remote Software-Induced FaultAttack in JavaScript. In Proceedings of the thirteenth concourse on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), 2016.4 V. van der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida, Drammer deterministic Rowhammer Attacks on Mobile Platforms, in Conference on Computer and communications Security CCS 2016. ACM, 2016,pp. 1675-1689.5 Z. B. Aweke, S. F. Yitbarek, R. Qiao, R. Das, M. Hicks, Y. Oren, and T. Austin. ANVILSoftware-Based Protection Against Next-Generation Rowhammer Attacks. In Proceedings of the 21st ACM planetary Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2016.6 Ge, Q., Yarom, Y., Cock, D., Heiser, G. (2016).A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering7 ding HyukWoo and Hsien-Hsin S. Lee. Analyzing performance vulnerability due to resource denial of service attack on chip multiprocessors. In Workshop on Chip Multiprocessor Memory Systems and Interconnects, Phoenix, AZ, US, 2007.8 X. Zhang, Y. Xiao, and Y. Zhang, Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices in Conference on Computer and Communications Security CCS 2016. ACM, 2016, pp. 858-870.9 M. Seaborn and T. Dullien. Exploiting the DRAM Rowhammer Bug to upgrade Kernel Privileges. In Black Hat USA (BH-US), 2015.10 M. Salyzyn. AOSP Commit 0549ddb9 upriver pagemap do not leak physical addresses to non-privileged userspace. http//goo.gl/Qye2MN,November 2015.11 Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping Bits in Memory Without Accessing Them An experimental Study of DRAM Disturbance Errors. In Proceedings of the 41st transnational Symposium on ComputerArchitecture (ISCA), 2014.12 Ernie Brickel l. Technologies to improve platform security. Workshop on Cryptographic Hardware and Embedded Systems11 Invited Talk, September 2011.13 S. Skorobogatov, The Bumpy Road Towards iPhone 5c NAND Mirroring, arXiv ePrint Archive, cut across 1609.04327, 2016.14 Xin, Chunsheng, Liangping Ma, and Chien-Chung Shen. A path-centric channel assignment framework for cognitive radio wireless networks Mobile Networks and Applications 13.5 (2008) 463-476.15 Qualcomm wants LTE deployed in unlicensed spectrum. http//www.fiercewireless.com/story/qualcomm-wants-lte-deployed-unlicen%sed-spectrum/2013-11-2116 Huawei U-LTE solution creates new grocery opportunities for mobile operators. http//www.huawei.com/ilink/en/about-huawei/newsroom/ press-release/HW 3%27768.17 S. Gollakota, F. Adib, D. Katabi, and S. Seshan. Clearing the RF smog making 802.11 robust to cross-technology interference. In Proc. of ACM SIGCOMM, 2011.18 Y. Yubo, Y. Panlong, L. Xiangyang, T. Yue, Z. Lan, and Y. Lizhao. ZIMO building cros s-technology MIMO to harmonize Zigbee smog with WiFi flash lamp without intervention. In Proc. of MobiCom, 2013.19 Long-Term Evolution Protocol How the Standard Impacts Media Access overtop Tim Godfrey WMSG Advanced Technology, http//www.nxp.com/files-static/training_presentation/TP_LTE_PHY_MAC.pdf20 https//www.nsnam.org/wiki/LAA-WiFi-Coexistence