DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks (1511.08756v4)

Abstract: In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings. We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2 Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.

• The paper introduces novel techniques to reverse engineer undocumented DRAM mappings for executing cross-CPU attacks.
• It demonstrates high-speed covert channels reaching up to 2 Mbps and introduces the first cross-CPU side-channel without shared memory.
• The findings enhance existing attacks like Flush+Reload and Rowhammer by accurately targeting DRAM components in multi-tenant environments.

Overview of "DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks"

The research paper titled "DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks" authored by Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, and Stefan Mangard from Graz University of Technology explores innovative methods for conducting cross-CPU attacks by exploiting DRAM addressing mechanisms. The paper revolves around two primary attack vectors that utilize information inherent in the DRAM's structure to enable inter-processor communication without relying on shared memory, thereby bypassing traditional isolation mechanisms in multi-tenant systems.

Key Contributions

The authors introduce two novel methods to reverse engineer the DRAM addressing mappings, which are typically undocumented. These methods are instrumental in creating new attack classes: DRAMA attacks. The significance of these methods lies in their ability to uncover the distribution of memory across DRAM channels, ranks, and banks, thus providing a comprehensive understanding necessary for next-level attacks:

1. Physical Probing and Software-Based Reverse Engineering: The paper provides a detailed account of using physical probing of the memory bus and a fully automated software technique for uncovering these mappings. This reverse engineering enables attackers to determine how physical memory addresses map onto specific DRAM components without requiring any shared memory between processes.
2. High-Speed Covert Channels and Side-Channels: Leveraging the insights from the aforementioned reverse engineering, the researchers demonstrate a high-speed covert channel that achieves data transfer rates of up to 2 Mbps, which significantly exceeds previous memory-bus channel capabilities. Additionally, the paper introduces the first cross-CPU side-channel attack that efficiently monitors memory access patterns without shared memory, enhancing the attacker's ability to infer sensitive operations.
3. Enhanced Existing Attacks: Through refined understanding of DRAM mappings, the paper illustrates improvements to existing attack strategies such as Flush+Reload and efficacy improvements in Rowhammer attacks on DDR4. By providing a detailed awareness of memory allocation in DRAM, attackers can more accurately time and target their disruptive operations.

Implications and Future Speculations

The practical implications of this research are profound, especially in cloud computing environments where multiple tenants share servers. The covert channel capabilities can undermine the data confidentiality among virtual machines on the same physical hardware. Furthermore, DRAM-based attacks bypass several countermeasures that prevent cache-based attacks, making them a formidable threat.

From a theoretical standpoint, this paper underscores the ongoing need to consider microarchitectural elements in security analyses. By bringing the previously opaque DRAM row buffer into focus, this research highlights how critical understanding hardware specifics is to system security.

Looking forward, as hardware continues to evolve, so too will the methods of exploiting it. However, this paper provides a framework that can be adapted to potential future designs of DRAM systems. It suggests a need for rethinking isolation strategies in platforms where hardware sharing is not only beneficial but also potentially exploitative. Future research could focus on mitigating such attacks through enhanced memory access patterns, improved hardware architecture, and more robust virtual isolation measures in multi-tenant setups.

Conclusion

The DRAMA paper makes significant strides in demonstrating how unexploited characteristics of hardware components like DRAM can be leveraged for high-speed data exfiltration and monitoring, bypassing traditional isolation techniques. This work serves as a catalyst for further exploration into microarchitectural vulnerabilities and presents both a caution and a challenge to adapting security practices to accommodate intricate hardware dynamics in complex computing environments.