SpyHammer: Understanding and Exploiting RowHammer under Fine-Grained Temperature Variations
- URL: http://arxiv.org/abs/2210.04084v2
- Date: Sun, 2 Jun 2024 23:16:00 GMT
- Title: SpyHammer: Understanding and Exploiting RowHammer under Fine-Grained Temperature Variations
- Authors: Lois Orosa, Ulrich Rührmair, A. Giray Yaglikci, Haocong Luo, Ataberk Olgun, Patrick Jattke, Minesh Patel, Jeremie Kim, Kaveh Razavi, Onur Mutlu,
- Abstract summary: We show that RowHammer is very sensitive to temperature variations, even if the variations are very small.
We propose a new RowHammer attack, called SpyHammer, that spies on the temperature of DRAM on critical systems.
- Score: 19.476638732094447
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row solely by accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we perform the first rigorous fine-grained characterization and analysis of the correlation between RowHammer and temperature. We show that RowHammer is very sensitive to temperature variations, even if the variations are very small (e.g., $\pm 1$ {\deg}C). We leverage two key observations from our analysis to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer exhibit bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of DRAM on critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. Our evaluation in a controlled environment shows that SpyHammer can infer the temperature of the victim DRAM modules with an error of less than $\pm 2.5$ {\deg}C at the 90th percentile of all tested temperatures, for 12 real DRAM modules (120 DRAM chips) from four main manufacturers.
Related papers
- Temperature-Centric Investigation of Speculative Decoding with Knowledge Distillation [76.5894260737116]
This paper delves into the effects of decoding temperatures on speculative decoding's efficacy.
We first highlight the challenge of decoding at higher temperatures, and demonstrate KD in a consistent temperature setting could be a remedy.
Building upon these findings, we take an initial step to further the speedup for speculative decoding, particularly in a high-temperature generation setting.
arXiv Detail & Related papers (2024-10-14T04:17:45Z) - Preventing Rowhammer Exploits via Low-Cost Domain-Aware Memory Allocation [46.268703252557316]
Rowhammer is a hardware security vulnerability at the heart of every system with modern DRAM-based memory.
C Citadel is a new memory allocator design that prevents Rowhammer-initiated security exploits.
C Citadel supports thousands of security domains at a modest 7.4% average memory overhead and no performance loss.
arXiv Detail & Related papers (2024-09-23T18:41:14Z) - Enabling Efficient and Scalable DRAM Read Disturbance Mitigation via New Experimental Insights into Modern DRAM Chips [0.0]
Storage density exacerbates DRAM read disturbance, a circuit-level vulnerability exploited by system-level attacks.
Existing defenses are either ineffective or prohibitively expensive.
This dissertation tackles two problems: 1) protecting DRAM-based systems becomes more expensive as technology scaling increases read disturbance vulnerability, and 2) many existing solutions depend on proprietary knowledge of DRAM internals.
arXiv Detail & Related papers (2024-08-27T13:12:03Z) - An Experimental Characterization of Combined RowHammer and RowPress Read Disturbance in Modern DRAM Chips [7.430668228518989]
We characterize a pattern that combines RowHammer and RowPress in 84 real DDR4 DRAM chips from all three major DRAM manufacturers.
Our results show that this combined RowHammer and RowPress pattern takes significantly smaller amount of time (up to 46.1% faster) to induce the first bitflip compared to the state-of-the-art RowPress pattern.
Based on our results, we provide a key hypothesis that the read disturbance effect caused by RowPress from one of the two aggressor rows in a double-sided pattern is much more significant than the other.
arXiv Detail & Related papers (2024-06-18T21:57:45Z) - BreakHammer: Enhancing RowHammer Mitigations by Carefully Throttling Suspect Threads [5.767293823380473]
RowHammer is a read disturbance mechanism in DRAM where repeatedly accessing (hammering) a row of DRAM cells (DRAM row) induces bitflips in other physically nearby DRAM rows.
RowHammer solutions perform preventive actions (e.g., refresh neighbor rows of the hammered row) that mitigate such bitflips.
As shrinking technology node size over DRAM chip generations exacerbates RowHammer, the overheads of RowHammer solutions become prohibitively expensive.
In this work, we tackle the performance overheads of RowHammer solutions by tracking and throttling the generators of memory accesses that trigger RowHammer solutions.
arXiv Detail & Related papers (2024-04-20T22:09:38Z) - Fast Adversarial Attacks on Language Models In One GPU Minute [49.615024989416355]
We introduce a novel class of fast, beam search-based adversarial attack (BEAST) for Language Models (LMs)
BEAST employs interpretable parameters, enabling attackers to balance between attack speed, success rate, and the readability of adversarial prompts.
Our gradient-free targeted attack can jailbreak aligned LMs with high attack success rates within one minute.
arXiv Detail & Related papers (2024-02-23T19:12:53Z) - Small Effect Sizes in Malware Detection? Make Harder Train/Test Splits! [51.668411293817464]
Industry practitioners care about small improvements in malware detection accuracy because their models are deployed to hundreds of millions of machines.
Academic research is often restrained to public datasets on the order of ten thousand samples.
We devise an approach to generate a benchmark of difficulty from a pool of available samples.
arXiv Detail & Related papers (2023-12-25T21:25:55Z) - Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts [64.60375604495883]
We discover a system prompt leakage vulnerability in GPT-4V.
By employing GPT-4 as a red teaming tool against itself, we aim to search for potential jailbreak prompts leveraging stolen system prompts.
We also evaluate the effect of modifying system prompts to defend against jailbreaking attacks.
arXiv Detail & Related papers (2023-11-15T17:17:39Z) - RowPress: Amplifying Read Disturbance in Modern DRAM Chips [7.046976177695823]
RowPress breaks memory isolation by keeping a DRAM row open for a long period of time.
In extreme cases, RowPress induces bitflips in a DRAM row when an adjacent row is activated only once.
Our detailed characterization of 164 real DDR4 DRAM chips shows that RowPress affects chips from all three major DRAM manufacturers.
arXiv Detail & Related papers (2023-06-29T16:09:56Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - ALARM: Active LeArning of Rowhammer Mitigations [0.0]
Rowhammer is a serious security problem of contemporary dynamic random-access memory (DRAM)
We present a tool, based on active learning, that automatically infers parameter of Rowhammer mitigations against synthetic models of modern DRAM.
arXiv Detail & Related papers (2022-11-30T12:24:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.