Showing posts from June, 2017

ESCAR 2017

This week, I attended ESCAR Embedded Security in Cars conference in Ypsilanti, Michigan. As my first conference I attended, I learned the valuable lessons: insight to fields and areas I have not been introduced before and potential to network with people in industry and academia. One very interesting presentation was use of ChipWhisperer to perform side-channel attacks to crack passwords and encryption using differential power analysis on common processors such as STM32F2.

During breaks, I attended multiple vendor booths and one in particular caught my attention. It was GRIMM. GRIMM engineers were able to have almost full access to one of the Ford Focus’s CAN bus without proprietary information. One thing that stood was how easy it is to get an access to the bus. In fact, they had a couple of demos where we could learn how to read packets to narrow down a function.  They gathered all the items from a single car from a junkyard. It is almost scary to know how easy it is to crack a car…

Single Sided Rowhammer Attack Part 2

In the last blog, I posted about the probabilistic nature of the single sided Rowhammer attack due to its random address selection. This week, I found that allocating more heap increases the frequency of bit flips. From my experiment, allocating 14GB memory instead of 1GB increased the chance of successful bit flips by more than 20 times. Google’s single sided row hammer test source code initializes 1GB of memory.
My prediction is that the OS randomizes the virtual memory mapping to multiple areas of physical memory address. Therefore, when relatively small amount of memory is allocated, for example 1GB out of 16 GB, the memory will likely spread over multiple banks. Therefore, when a pair of addresses are accessed and flushed, they won’t meet the requirement that the addresses are in the same bank and different row. Furthermore, when the row hammer attack does successfully flip a bit, it can be outside the allocated space. In this case, we won’t able to check the result, unless the …

Single Sided Rowhammer Attack

Today, I would like to run through the Rowhammer test code that Google Project Zero posted in its Github repository. This blog post will focus on the single sided Rowhammer using random address selection because it is simple and can be understood without knowledge in the LINUX system side of things. Rowhammering is an exploit in modern DRAMS due to high density of cells that reside in the memory device. More can be read in the Google Project Zero’s blogpost. The intention of this blog post isn’t to analyze the single-sided row hammer attack, but to explain briefly how the program works.

So how does this code work? The program first allocates 1GB of memory. Then, in a tight loop, random eight addresses are chosen from the heap. At one address at a time, the program reads data (should be zero) from the chosen addresses. Google chose to read from a memory to a variable to replicate accessing a memory address. While not as fast as using x86 ‘mov’ assembly, the C instruction is still able t…

First week at the SPQR Lab: Electronics Bench and Rework

On the first day of my work at SPQR lab, the lab members spent three hours on reworking two USB breaker boards. Looking at the figure below of oxidized soldering tips, I found that many tips could not hold heat. The job should have taken than less than 10 minutes with proper soldering tips and solder. The lab has advanced oscilloscope and lab bench digital multimeter, but misses on having inexpensive rework equipment such as proper solder, flux cleaner, and vice. In this blog post, I will discuss inexpensive but very handy tools which make reworking much easier.

Completely Oxidized Soldering Tips
The most necessary tool for a solder rework is soldering station. Many people would have seen standalone soldering pencils, but these soldering pencils lack gauge to control the temperature. Therefore, a soldering station with either analog or digital gauge is necessary. Fortunately, a decent soldering station costs less than $150: Weller WESD51 Digital Soldering Station. SPQR lab has the exact…