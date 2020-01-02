Loading...

Image: ZDNet, Priyanka of the Noun Project

In a new research paper published on the last day of 2019, a team of American and German academics has shown that field programmable door matrix (FPGA) cards can be abused to launch better and faster Rowhammer attacks.

The new research expands the previous work on an attack vector known as Rowhammer.

A brief history of Rowhammer's attacks

Rowhammer's attacks were detailed for the first time in 2014. The attack exploits a design flaw in modern hardware memory cards, more commonly known as RAM.

In modern RAM cards, data is stored within memory cells, and all memory cells are arranged in a grid pattern. In 2014, academics discovered that by reading data stored in a row of memory cells repeatedly and at high speeds, they could create an electrical charge that would alter the data stored in nearby memory rows.

When coordinating repeated read operations, in an operation called "row hammering," they could use unwanted electrical charges to corrupt RAM data or manipulate user data maliciously.

After it was disclosed to the public, industry experts considered Rowhammer's attack to be only a theoretical threat, but that it had the potential to become a major problem later.

Experts believed that while Rowhammer's initial attack seemed inefficient to alter or corrupt the data, academics would eventually find new ways to launch Rowhammer attacks and improve the damage that the attack could cause.

RAM vendors reacted by modifying RAM card designs and introducing software mitigations to address the potential damage that could come from a future potential Rowhammer attack.

As initially predicted, in the last five years, academics have expanded greatly in Rowhammer's initial attack. They found ways to avoid mitigations, expanded the attack surface to various computer components and configurations, and even found a way to use Rowhammer to steal data from the attacked systems, instead of simply altering them. Below is a summary of all the work done with the Rowhammer attacks.

New JackHammer attack

The latest addition to this list is a new variation of Rowhammer's attack called JackHammer, which allows a malicious party to abuse FPGA cards to launch better and faster Rowhammer attacks.

For those who are not familiar with the term, FPGAs are additional cards that can be added to a computer system (desktop or server). They are computer components designed to optimize performance by allowing the user to customize it according to their needs, and are sometimes called "accelerators."

FPGAs are often used with systems designed to perform very specific tasks, such as cryptocurrency mining, web servers, heavy computing systems, etc.

In recent years, FPGAs have reached cloud computing environments where they are now a common offer. Companies such as Alibaba Cloud and Amazon Web Services (AWS) provide customers with FPGA-based server instances so that customers can optimize performance for specific tasks. Microsoft is also working on the integration of FPGA-based technology into Azure.

Seeing that FPGA-CPU architectures are becoming more common, a team of researchers from the Worcester Polytechnic Institute in the USA. UU., The University of Lübeck in Germany and Intel, have investigated how Rowhammer attacks affect this new cloud configuration.

They discovered that when the attack code is initiated from a user-configured FPGA, Rowhammer's attacks are more efficient at causing bit changes and do so at a faster rate than if the attack was initiated using malicious code executed within the CPU, as is how all other Rowhammer attacks work.

This is because FPGA cards connect directly to a processor bus, which provides direct and untethered access to the CPU cache and RAM. In addition, FPGAs do not have to deal with firmware and operating system software, which allows you to run code faster than a normal CPU.

Twice as fast, four times more bit changes

"In a Rowhammer attack, a significant factor in the speed and effectiveness of an attack is the speed at which memory can be accessed repeatedly," explains the research team.

"On many systems, the CPU is fast enough to cause some bit changes, but the FPGA can repeatedly access the memory system of your host machine substantially faster than the CPU of the host machine."

A row hammer originated by FPGA can hammer faster and flip more bits compared to the CPU hammer on the same platform.

– Daniel Moghimi (@danielmgmi) January 2, 2020

In a proof of concept experiment detailed in their article, the research team launched a classic CPU-based Rowhammer attack and a new FPH-based JackHammer attack against the WolfCrypt RSA implementation, part of the WolfSSL Library, recovering private keys used to protect SSL connections

"Our results indicate that a malicious FPGA can work twice as fast as a typical Rowhammer attack from the CPU on the same system and causes about four times more bit breaks than the CPU attack," the research team said. .

Image: Weissman et al.

In addition, the academic team also discovered that a JackHammer attack is much harder to detect because FPGA's direct access to system resources leaves no trace on the CPU of FPGA memory access operations. Since most anti-Rowhammer detection systems are configured at the CPU level, this opens a new blind spot in the security of the CPU and the cloud.

For their tests, academics used an Intel Arria 10 GX FPGA; However, this does not mean that Arria FPGAs are vulnerable.

By design, FPGAs are intended to "accelerate" systems. The real problem behind JackHammer is the inherent trust placed in user-configurable FPGAs used in cloud environments, and the lack of security controls and protections designed for the FPGA execution code.

"From a security perspective, a user-configurable FPGA in a cloud system must be treated with at least as much care and caution as a user-controlled CPU thread, as it can exploit many of the same vulnerabilities," they said. The researchers

Through its work, the research team would like to see cloud providers react and add appropriate protections against malicious code executed within FPGA instead of CPU.

The research team listed several mitigations that cloud providers could implement to protect cloud computing platforms against JackHammer. They include the use of hardware monitoring, CPU cache partitioning, CPU cache fixing, higher update rates for DRAM memory and more.

For more details on this new FPGA attack vector, see the technical document of the research team, entitled "JackHammer: Efficient Rowhammer on heterogeneous FPGA-CPU platforms".

WolfSSL 4.3.0, released on December 20, contains a solution (CVE-2019-19962) to prevent and mitigate JackHammer attacks.