TRRespass: Exploiting the Many Sides of Target Row Refresh
https://www.vusec.net/projects/trrespass/ [www.vusec.net]
2020-03-11 03:48
tags:
hardware
investigation
paper
security
sidechannel
systems
Well, after two years of rigorous research, looking inside what is implemented inside CPUs and DDR4 chips using novel reverse engineering techniques, we can tell you that we do not live in a Rowhammer-free world. And we will not for the better part of this decade. Turns out while the old hammering techniques no longer work, once we understand the exact nature of these mitigations inside modern DDR4 chips, using new hammering patterns it is trivial to again trigger plenty of new bit flips. Yet again, these results show the perils of lack of transparency and security-by-obscurity. This is especially problematic since unlike software vulnerabilities, we cannot fix these hardware bit flips post-production.
source: L
ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All
https://www.vusec.net/projects/eccploit/ [www.vusec.net]
2018-11-23 21:03
tags:
exploit
hardware
investigation
paper
security
sidechannel
Where many people thought that high-end servers were safe from the (unpatchable) Rowhammer bitflip vulnerability in memory chips, new research from VUSec, the security group at Vrije Universiteit Amsterdam, shows that this is not the case. Since prominent security researchers and companies have suggested that ECC provides pretty good protection [1,2,3], and exploitable bitflips on ECC memory are seen by many as the “unholy grail” for Rowhammer attacks, the new attack to reliably flip bits that completely bypass ECC protection is a major step forward in Rowhammer research.
To answer the research question above, we first needed to fully understand how ECC is implemented. Unfortunately, this is not trivial. In general, CPU manufacturers omit details of ECC implementation. In addition, the closed nature of hardware makes our task even more difficult. Thus, we first reverse engineered several ECC implementations and showed their guarantees. This part of the work was pretty crazy and involved freezing memory chips and transplanting them (“cold boot attack”), sticking syringe needles into the sockets of memory modules to inject errors, and many other techniques besides. Long story short, after a year of probing and analyzing, we finally understood how ECC memory worked in detail.
source: solar
TLBleed
https://www.vusec.net/projects/tlbleed/ [www.vusec.net]
2018-07-11 20:52
tags:
cpu
paper
security
sidechannel
TLBleed is a new side channel attack that has been proven to work on Intel CPU’s with Hyperthreading (generally Simultaneous Multi-threading, or SMT, or HT on Intel) enabled. It relies on concurrent access to the TLB, and it being shared between threads. We find that the L1dtlb and the STLB (L2 TLB) is shared between threads on Intel CPU cores.
source: L
GLitch
https://www.vusec.net/projects/glitch/ [www.vusec.net]
2018-05-04 16:28
tags:
android
browser
exploit
gl
hardware
paper
security
turtles
Meet GLitch: the first instance of a remote Rowhammer exploit on ARM Android devices. This makes it possible for an attacker who controls a malicious website to get remote code execution on a smartphone without relying on any software bug. You want to know what makes this attack even cooler? It is carried out by the GPU. This is the first GPU-accelerated Rowhammer attack.
source: L
The AnC attack against ASLR
https://www.vusec.net/projects/anc/ [www.vusec.net]
2017-02-17 17:41
tags:
browser
cpu
exploit
malloc
random
security
In this project, we show that the limitations of ASLR is fundamental to how modern processors manage memory and build an attack that can fully derandomize ASLR from JavaScript without relying on any software feature.