Greetings, I am Zelalem Birhanu Aweke, a PhD student at University of Michigan. I have successfully implemented a Rowhammer attack on a DDR3-based memory system attached to a Intel sandybridge-based multiprocessor. My attack does not use the CLFLUSH instruction, instead it creates carefully crafted memory access streams that force frequent L3 cache misses to specific DRAM rows. Matthew Hicks, a hardware security researcher here at Michigan, has inspected my code, verified that it successfully implements the Rowhammer attack without CLFLUSH, and used it to flips DRAM bits on a Lenovo laptop. I will be disclosing the details of the attack in a article that I am currently preparing. Also, I want to say "thanks" to the Google security researchers that published the Intel L3 cache interleaving hash function details, the hash function on my Intel processor was very similar, and their discovery was quite useful in getting my attack to work -- thank you!
On 10 May 2015 at 19:55, <zaw...@umich.edu> wrote:Greetings, I am Zelalem Birhanu Aweke, a PhD student at University of Michigan. I have successfully implemented a Rowhammer attack on a DDR3-based memory system attached to a Intel sandybridge-based multiprocessor. My attack does not use the CLFLUSH instruction, instead it creates carefully crafted memory access streams that force frequent L3 cache misses to specific DRAM rows. Matthew Hicks, a hardware security researcher here at Michigan, has inspected my code, verified that it successfully implements the Rowhammer attack without CLFLUSH, and used it to flips DRAM bits on a Lenovo laptop. I will be disclosing the details of the attack in a article that I am currently preparing. Also, I want to say "thanks" to the Google security researchers that published the Intel L3 cache interleaving hash function details, the hash function on my Intel processor was very similar, and their discovery was quite useful in getting my attack to work -- thank you!Ah, very interesting! Thanks for sharing.I have been working on doing the same thing, which is why I published that description of the L3 cache mapping function [1]. When you say that your machine uses a mapping that's similar, do you mean that it's similar but different to the mapping I described?
Saludos, soy Zelalem Birhanu Aweke, un estudiante de doctorado en la Universidad de Michigan. He implementado con éxito un ataque Rowhammer en un sistema de memoria basada en DDR3 unida a un multiprocesador basado SandyBridge en Intel. Mi ataque no utiliza la instrucción CLFLUSH, sino que crea cuidadosamente elaborado flujos de acceso a memoria que obligan a frecuentes fallos de caché L3 a filas DRAM específicos. Mateo Hicks, un investigador de seguridad de hardware aquí en Michigan, ha inspeccionado mi código, verificó que con éxito implementa el ataque Rowhammer sin CLFLUSH, y lo utilizó para voltea DRAM trozos en un portátil Lenovo. Voy a revelar los detalles del ataque en un artículo que actualmente estoy preparando. Además, quiero decir "gracias" a los investigadores de seguridad de Google que publican los detalles de la función Intel L3 cache intercalación de hash, la función hash en mi procesador Intel era muy similar, y su descubrimiento fue bastante útil para obtener mi ataque de trabajar - gracias!
* Repeatedly read from those 14 addresses (i.e. the aggressor + 13 other addresses) [3].
* Repeatedly read from those 14 addresses (i.e. the aggressor + 13 other addresses) [3].
Did you access them in a specific order which tries to put more pressure on the aggressor?