Single Sided Rowhammer Attack

Today, I would like to run through the Rowhammer test code that Google Project Zero posted in its Github repository. This blog post will focus on the single sided Rowhammer using random address selection because it is simple and can be understood without knowledge in the LINUX system side of things. Rowhammering is an exploit in modern DRAMS due to high density of cells that reside in the memory device. More can be read in the Google Project Zero’s blogpost. The intention of this blog post isn’t to analyze the single-sided row hammer attack, but to explain briefly how the program works.


So how does this code work? The program first allocates 1GB of memory. Then, in a tight loop, random eight addresses are chosen from the heap. At one address at a time, the program reads data (should be zero) from the chosen addresses. Google chose to read from a memory to a variable to replicate accessing a memory address. While not as fast as using x86 ‘mov’ assembly, the C instruction is still able to read the data sequentially rapidly. After the eight addresses are read, at one address at a time, they are flushed from the CPU cache. There is no C++ function to flush a CPU’s cache, so ‘clflush’ assembly instruction is inlined within the program.  The above reading and flushing procedure is done 4320000 times, which result in about 20 ns for each memory access. Once the read and flush instructions are done, the program reads the 1GB heap to see if there is any flipped bit in the memory. When the test runs, the program prints the following messages to standard out as shown below. The test will run until it finds a flipped bit.




What makes this test harder to run is that only 1GB memory is allocated. Many computers these days have more than 16GB of RAM. In the case of 32GB memory with 64 banks, the chance of the having the 1GB heap in the same bank reduces significantly. Also depends on how the kernel maps the virtual memory address to the physical address, the heap can be split between different banks of the RAM. Nonetheless, this code is cross-compatible in LINUX and MAC OS. What is neat about this program is that the program runs on the virtual memory addresses and, therefore, the program does not rely on CPU’s memory controller. 

Comments

Post a Comment

Popular posts from this blog

Let’s Build 5V Solar Charger Part 2

Image
Let’s Build 5V Solar Charger Part 2 Last week, I assembled step-up boost converter kit and put 6V solar panel to power up the chip. I did a final assembly inside a metal casing and taped the solar panel around the case to make the kit tidy as shown in the photo below. This week, I measured the output of the solar charger. I measured the open circuit voltage and short circuit current to calculate the power output. The voltage was measured at around 6V and current was measured at around 0.03Amp. This translates to around 200mW of energy. This is 1/5 of what the solar panel was advertised at. The product page advertised at 1W of output. I expected that the tiny circuit wouldn’t able to charge a power hungry smartphone. However, this might be sufficient enough to charge a small LED light for my bike. Considering that normal USB port’s maximum current output is 500mW, the solar panel’s output is decent.  For curiosity, I calculated how much energy I could save using
Read more

Roborace Showcase at MCity

Image
On last Friday, which was May 21st, Roborace visited Mcity in the University of Michigan to show case its autonomous race car, Robocar. Robocar's first impression was astounding. Previous self-driving cars involved regular cars with regular seats. However, this race car was designed so that there is no seat. It looked like Formula 1 race cars with a higher cool factor. To achieve the autonomy, the race car uses a combination of Lidars, Radars, Sonars, and computer vision cameras. Unlike traditional self driving cars which has a roof mounted Lidar, Robo race has a couple of Lidar in the front wheel wells. I wonder the benefits of the side mounted Lidars over top mounted Lidars. I predict that due to its low height, top-mounted Lidar might cause a line of sight issue. As a consequence of side mounted Lidar in the front, the car introduces a blind spot due to large back wheel wells. Therefore, the back wheel is mounted with Sonars to compensate. In the top of the car seats the c
Read more