TY - GEN
T1 - HammerScope
T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
AU - Cohen, Yaakov
AU - Tharayil, Kevin Sam
AU - Genkin, Daniel
AU - Keromytis, Angelos D.
AU - Oren, Yossi
AU - Yarom, Yuval
N1 - Publisher Copyright: © 2022 ACM.
PY - 2022/11/7
Y1 - 2022/11/7
N2 - The constant reduction in memory cell sizes has increased memory density and reduced power consumption, but has also affected its reliability. The Rowhammer attack exploits this reduced reliability to induce bit flips in memory, without directly accessing these bits. Most Rowhammer attacks target software integrity, but some recent attacks demonstrated its use for compromising confidentiality. Continuing this trend, in this paper we observe that the rh attack strongly correlates with the memory instantaneous power consumption. We exploit this observation to design HammerScope, a Rowhammer-based attack technique for measuring the power consumption of the memory unit. Because the power consumption correlates with the level of activity of the memory, hs allows an attacker to infer memory activity. To demonstrate the offensive capabilities of HammerScope, we use it to mount three information leakage attacks. We first show that hs can be used to break kernel address-space layout randomization (KASLR). Our second attack uses memory activity as a covert channel for a Spectre attack, allowing us to leak information from the operating system kernel. Finally, we demonstrate the use of HammerScope for performing website fingerprinting, compromising user privacy. Our work demonstrates the importance of finding systematic solutions for Rowhammer attacks.
AB - The constant reduction in memory cell sizes has increased memory density and reduced power consumption, but has also affected its reliability. The Rowhammer attack exploits this reduced reliability to induce bit flips in memory, without directly accessing these bits. Most Rowhammer attacks target software integrity, but some recent attacks demonstrated its use for compromising confidentiality. Continuing this trend, in this paper we observe that the rh attack strongly correlates with the memory instantaneous power consumption. We exploit this observation to design HammerScope, a Rowhammer-based attack technique for measuring the power consumption of the memory unit. Because the power consumption correlates with the level of activity of the memory, hs allows an attacker to infer memory activity. To demonstrate the offensive capabilities of HammerScope, we use it to mount three information leakage attacks. We first show that hs can be used to break kernel address-space layout randomization (KASLR). Our second attack uses memory activity as a covert channel for a Spectre attack, allowing us to leak information from the operating system kernel. Finally, we demonstrate the use of HammerScope for performing website fingerprinting, compromising user privacy. Our work demonstrates the importance of finding systematic solutions for Rowhammer attacks.
KW - rowhammer
KW - side-channel attack
UR - http://www.scopus.com/inward/record.url?scp=85142916050&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3548606.3560688
DO - https://doi.org/10.1145/3548606.3560688
M3 - Conference contribution
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 547
EP - 561
BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Y2 - 7 November 2022 through 11 November 2022
ER -