SpyHammer: Using RowHammer to Remotely Spy on Temperature

—RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row by just accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly more vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we leverage two key observations about RowHammer characteristics to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer cause bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. SpyHammer can spy on absolute temperature with an error of less than ± 2 . 5 ° C at the 90 th percentile of tested temperature points, for 12 real DRAM modules from 4 main manufacturers.

[1]  Kaveh Razavi,et al.  BLACKSMITH: Scalable Rowhammering in the Frequency Domain , 2022, 2022 IEEE Symposium on Security and Privacy (SP).

[2]  U. Rührmair Secret-free security: a survey and tutorial , 2022, Journal of Cryptographic Engineering.

[3]  Jeremie S. Kim,et al.  A Deeper Look into RowHammer’s Sensitivities: Experimental Analysis of Real DRAM Chips and Implications on Future Attacks and Defenses , 2021, MICRO.

[4]  Onur Mutlu,et al.  Uncovering In-DRAM RowHammer Protection Mechanisms:A New Methodology, Custom RowHammer Patterns, and Implications , 2021, MICRO.

[5]  Onur Mutlu,et al.  Security Analysis of the Silver Bullet Technique for RowHammer Prevention , 2021, ArXiv.

[6]  Onur Mutlu,et al.  CODIC: A Low-Cost Substrate for Enabling Custom In-DRAM Functionalities and Optimizations , 2021, 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA).

[7]  Jeremie S. Kim,et al.  BlockHammer: Preventing RowHammer at Low Cost by Blacklisting Rapidly-Accessed DRAM Rows , 2021, 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[8]  Jung Ho Ahn,et al.  Graphene: Strong yet Lightweight Row Hammer Protection , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[9]  Jeremie S. Kim,et al.  FIGARO: Improving System Performance via Fine-Grained In-DRAM Data Relocation and Caching , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[10]  Onur Mutlu,et al.  Bit-Exact ECC Recovery (BEER): Determining DRAM On-Die ECC Functions by Exploiting DRAM Data Retention Characteristics , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[11]  Zhi Zhang,et al.  PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[12]  Onur Mutlu,et al.  Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[13]  Onur Mutlu,et al.  CLR-DRAM: A Low-Cost DRAM Architecture Enabling Dynamic Capacity-Latency Trade-Off , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[14]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[15]  Cristiano Giuffrida,et al.  TRRespass: Exploiting the Many Sides of Target Row Refresh , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[16]  Alec Wolman,et al.  Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Fan Yao,et al.  DeepHammer: Depleting the Intelligence of Deep Neural Networks through Targeted Chain of Bit Flips , 2020, USENIX Security Symposium.

[18]  Jung Ho Ahn,et al.  CAT-TWO: Counter-Based Adaptive Tree, Time Window Optimized for DRAM Row-Hammer Prevention , 2020, IEEE Access.

[19]  T. Eisenbarth,et al.  JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[20]  Onur Mutlu,et al.  RowHammer: A Retrospective , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[21]  Daniel Gruss,et al.  Nethammer: Inducing Rowhammer Faults through Network Requests , 2018, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[22]  Saeyoung Oh,et al.  Pinpoint Rowhammer: Suppressing Unwanted Bit Flips on Rowhammer Attacks , 2019, AsiaCCS.

[23]  Tudor Dumitras,et al.  Terminal Brain Damage: Exposing the Graceless Degradation in Deep Neural Networks Under Hardware Fault Attacks , 2019, USENIX Security Symposium.

[24]  Jung Min You,et al.  MRLoc: Mitigating Row-hammering based on memory Locality , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[25]  Onur Mutlu,et al.  Understanding and Modeling On-Die Error Correction in Modern DRAM: An Experimental Study Using Real Devices , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[26]  Onur Mutlu,et al.  CROW: A Low-Cost Substrate for Improving DRAM Performance, Energy Efficiency, and Reliability , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[27]  G. Edward Suh,et al.  TWiCe: Preventing Row-hammering by Exploiting Time Window Counters , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[28]  Onur Mutlu,et al.  In-DRAM Bulk Bitwise Execution Engine , 2019, ArXiv.

[29]  Herbert Bos,et al.  Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[30]  Stefan Katzenbeisser,et al.  Spying on Temperature using DRAM , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[31]  Onur Mutlu,et al.  D-RaNGe: Using Commodity DRAM Devices to Generate True Random Numbers with Low Latency and High Throughput , 2018, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[32]  Herbert Bos,et al.  ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks , 2018, OSDI.

[33]  Onur Mutlu,et al.  Reducing DRAM Latency via Charge-Level-Aware Look-Ahead Partial Restoration , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[34]  Onur Mutlu,et al.  Solar-DRAM: Reducing DRAM Access Latency by Exploiting the Variation in Local Bitlines , 2018, 2018 IEEE 36th International Conference on Computer Design (ICCD).

[35]  Herbert Bos,et al.  Defeating Software Mitigations Against Rowhammer: A Surgical Precision Hammer , 2018, RAID.

[36]  Herbert Bos,et al.  Throwhammer: Rowhammer Attacks over the Network and Defenses , 2018, USENIX ATC.

[37]  Alessandro Barenghi,et al.  Software-only Reverse Engineering of Physical DRAM Mappings for Rowhammer Attacks , 2018, 2018 IEEE 3rd International Verification and Security Workshop (IVSW).

[38]  Tolga Arul,et al.  Intrinsic Run-Time Row Hammer PUFs: Leveraging the Row Hammer Effect for Run-Time Cryptography and Improved Security † , 2018, Cryptogr..

[39]  Christopher Krügel,et al.  GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM , 2018, DIMVA.

[40]  Onur Mutlu,et al.  What Your DRAM Power Models Are Not Telling You: Lessons from a Detailed Experimental Study , 2018, SIGMETRICS.

[41]  Rami G. Melhem,et al.  Mitigating Wordline Crosstalk Using Adaptive Trees of Counters , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[42]  Herbert Bos,et al.  Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[43]  Onur Mutlu,et al.  The DRAM Latency PUF: Quickly Evaluating Physical Unclonable Functions by Exploiting the Latency-Reliability Tradeoff in Modern Commodity DRAM Devices , 2018, 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[44]  Yuval Yarom,et al.  Another Flip in the Wall of Rowhammer Defenses , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[45]  Ulrich Rührmair,et al.  Efficient Erasable PUFs from Programmable Logic and Memristors , 2018, IACR Cryptol. ePrint Arch..

[46]  Taesoo Kim,et al.  SGX-Bomb: Locking Down the Processor via Rowhammer Attack , 2017, SysTEX@SOSP.

[47]  Onur Mutlu,et al.  Detecting and Mitigating Data-Dependent DRAM Failures by Exploiting Current Memory Content , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[48]  Onur Mutlu,et al.  Ambit: In-Memory Accelerator for Bulk Bitwise Operations Using Commodity DRAM Technology , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[49]  Ahmad-Reza Sadeghi,et al.  CAn't Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory , 2017, USENIX Security Symposium.

[50]  Onur Mutlu,et al.  A Case for Memory Content-Based Detection and Mitigation of Data-Dependent Failures in DRAM , 2017, IEEE Computer Architecture Letters.

[51]  Onur Mutlu,et al.  The reach profiler (REAPER): Enabling the mitigation of DRAM retention failures via profiling at aggressive conditions , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[52]  Sungjoo Yoo,et al.  Making DRAM stronger against row hammering , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[53]  Rachata Ausavarungnirun,et al.  Design-Induced Latency Variation in Modern DRAM Chips: Characterization, Analysis, and Latency Reduction Mechanisms , 2017, SIGMETRICS.

[54]  O. Mutlu,et al.  Understanding Reduced-Voltage Operation in Modern DRAM Devices: Experimental Characterization, Analysis, and Mechanisms , 2017, SIGMETRICS.

[55]  Todd M. Austin,et al.  When good protections go bad: Exploiting anti-DoS measures to accelerate rowhammer attacks , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[56]  Stefan Katzenbeisser,et al.  Intrinsic Rowhammer PUFs: Leveraging the Rowhammer effect for improved security , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[57]  Pascal Raiola,et al.  Sensitized path PUF: A lightweight embedded physical unclonable function , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[58]  Onur Mutlu,et al.  The RowHammer problem and other issues we may face as memory becomes denser , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[59]  Onur Mutlu,et al.  SoftMC: A Flexible and Practical Open-Source Infrastructure for Enabling Experimental DRAM Studies , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[60]  Hector Gomez,et al.  DRAM row-hammer attack reduction using dummy cells , 2016, 2016 IEEE Nordic Circuits and Systems Conference (NORCAS).

[61]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[62]  Arnab Raha,et al.  D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication in embedded systems , 2016, 2016 International Conference on Compliers, Architectures, and Sythesis of Embedded Systems (CASES).

[63]  Debdeep Mukhopadhyay,et al.  Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing Analysis , 2016, CHES.

[64]  Onur Mutlu,et al.  Understanding Latency Variation in Modern DRAM Chips: Experimental Characterization, Analysis, and Optimization , 2016, SIGMETRICS.

[65]  Onur Mutlu,et al.  PARBOR: An Efficient System-Level Technique to Detect Data-Dependent Failures in DRAM , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[66]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[67]  Rui Qiao,et al.  A new approach for rowhammer attacks , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[68]  Reetuparna Das,et al.  ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks , 2016, ASPLOS.

[69]  Onur Mutlu,et al.  Low-Cost Inter-Linked Subarrays (LISA): Enabling fast inter-subarray data movement in DRAM , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[70]  Onur Mutlu,et al.  ChargeCache: Reducing DRAM latency by exploiting row access locality , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[71]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[72]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[73]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[74]  Yuan Xiao,et al.  One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation , 2016, USENIX Security Symposium.

[75]  Onur Mutlu,et al.  Gather-Scatter DRAM: In-DRAM address translation to improve the spatial locality of non-unit strided accesses , 2015, 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[76]  Jongmoo Choi,et al.  Decoupled Direct Memory Access: Isolating CPU and IO Traffic by Leveraging a Dual-Data-Port DRAM , 2015, 2015 International Conference on Parallel Architecture and Compilation (PACT).

[77]  Barbara P. Aichinger,et al.  DDR memory errors caused by Row Hammer , 2015, 2015 IEEE High Performance Extreme Computing Conference (HPEC).

[78]  Onur Mutlu,et al.  AVATAR: A Variable-Retention-Time (VRT) Aware Refresh for DRAM Systems , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[79]  Fatemeh Tehranipoor,et al.  DRAM based Intrinsic Physical Unclonable Functions for System Level Security , 2015, ACM Great Lakes Symposium on VLSI.

[80]  Ulrich Rührmair,et al.  Physically secure and fully reconfigurable data storage using optical scattering , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[81]  Dae-Hyun Kim,et al.  Architectural Support for Mitigating Row Hammering in DRAM Memories , 2015, IEEE Computer Architecture Letters.

[82]  Onur Mutlu,et al.  The Blacklisting Memory Scheduler: Achieving high performance and fairness at low cost , 2014, 2014 IEEE 32nd International Conference on Computer Design (ICCD).

[83]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[84]  Tao Zhang,et al.  Half-DRAM: A high-bandwidth and low-power DRAM architecture from the rethinking of fine-grained activation , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[85]  Onur Mutlu,et al.  Improving DRAM performance by parallelizing refreshes with accesses , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[86]  Onur Mutlu,et al.  The efficacy of error mitigation techniques for DRAM retention failures: a comparative experimental study , 2014, SIGMETRICS '14.

[87]  Ulrich Rührmair,et al.  Protocol attacks on advanced PUF protocols and countermeasures , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[88]  Rachata Ausavarungnirun,et al.  RowClone: Fast and energy-efficient in-DRAM bulk data copy and initialization , 2013, 2013 46th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[89]  MutluOnur,et al.  An experimental study of data retention behavior in modern DRAM devices , 2013 .

[90]  Ulrich Rührmair,et al.  Physical unclonable functions based on crossbar arrays for cryptographic applications , 2013, Int. J. Circuit Theory Appl..

[91]  Ulrich Rührmair,et al.  On the practical use of physical unclonable functions in oblivious transfer and bit commitment protocols , 2013, Journal of Cryptographic Engineering.

[92]  Onur Mutlu,et al.  Tiered-latency DRAM: A low latency and low cost DRAM architecture , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[93]  Jan Sölter,et al.  Power and Timing Side Channels for PUFs and their Efficient Exploitation , 2013, IACR Cryptol. ePrint Arch..

[94]  Ulrich Rührmair,et al.  Practical Security Analysis of PUF-Based Two-Player Protocols , 2012, CHES.

[95]  Richard Veras,et al.  RAIDR: Retention-aware intelligent DRAM refresh , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[96]  Onur Mutlu,et al.  A case for exploiting subarray-level parallelism (SALP) in DRAM , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[97]  Ulrich Rührmair,et al.  SIMPL Systems as a Keyless Cryptographic and Security Primitive , 2012, Cryptography and Security.

[98]  Georg Sigl,et al.  Side-Channel Analysis of PUFs and Fuzzy Extractors , 2011, TRUST.

[99]  Ulrich Rührmair,et al.  Circuit-Based Approaches to Simpl Systems , 2011, J. Circuits Syst. Comput..

[100]  Ulrich Rührmair,et al.  Physical Turing Machines and the Formalization of Physical Cryptography , 2011, IACR Cryptol. ePrint Arch..

[101]  Srinivas Devadas,et al.  FPGA PUF using programmable delay lines , 2010, 2010 IEEE International Workshop on Information Forensics and Security.

[102]  M. Stutzmann,et al.  Random pn-junctions for physical cryptography , 2010 .

[103]  Mor Harchol-Balter,et al.  ATLAS: A scalable and high-performance scheduling algorithm for multiple memory controllers , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[104]  W. Porod,et al.  Application of mismatched Cellular Nonlinear Networks for Physical Cryptography , 2010, 2010 12th International Workshop on Cellular Nanoscale Networks and their Applications (CNNA 2010).

[105]  Ulrich Rührmair,et al.  Towards Electrical, Integrated Implementations of SIMPL Systems , 2010, IACR Cryptol. ePrint Arch..

[106]  P. Lugli,et al.  Analog circuits for physical cryptography , 2009, Proceedings of the 2009 12th International Symposium on Integrated Circuits.

[107]  Miodrag Potkonjak,et al.  Techniques for Design and Implementation of Secure Reconfigurable PUFs , 2009, TRETS.

[108]  Jürgen Schmidhuber,et al.  On-Chip Electric Waves: An Analog Circuit Approach to Physical Uncloneable Functions , 2009, IACR Cryptol. ePrint Arch..

[109]  Jorge Guajardo,et al.  Extended abstract: The butterfly PUF protecting IP on every FPGA , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[110]  Onur Mutlu,et al.  Parallelism-Aware Batch Scheduling: Enhancing both Performance and Fairness of Shared DRAM Systems , 2008, 2008 International Symposium on Computer Architecture.

[111]  Onur Mutlu,et al.  Self-Optimizing Memory Controllers: A Reinforcement Learning Approach , 2008, 2008 International Symposium on Computer Architecture.

[112]  Onur Mutlu,et al.  Stall-Time Fair Memory Access Scheduling for Chip Multiprocessors , 2007, 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007).

[113]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[114]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[115]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[116]  Srinivas Devadas,et al.  Silicon physical random functions , 2002, CCS '02.

[117]  R. Pappu,et al.  Physical One-Way Functions , 2002, Science.

[118]  M. Horiguchi,et al.  Redundancy techniques for high-density DRAMs , 1997, 1997 Proceedings Second Annual IEEE International Conference on Innovative Systems in Silicon.

[119]  R. G. Nelson,et al.  Laser programmable redundancy and yield improvement in a 64K DRAM , 1981 .