Related papers: Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering

Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering

URL: http://arxiv.org/abs/2509.19568v1
Date: Tue, 23 Sep 2025 20:49:48 GMT
Title: Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering
Authors: Antoine Plin, Lorenzo Casalino, Thomas Rokicki, Ruben Salvador,
Abstract summary: We develop an efficient, noise-robust, and fully platform-agnostic algorithm to recover the full bank-mask basis in time.<n>Our method provides a 99% recall and accuracy on all tested platforms.
Score: 0.0
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Modern Systems-on-Chip (SoCs) employ undocumented linear address-scrambling functions to obfuscate DRAM addressing, which complicates DRAM-aware performance optimizations and hinders proactive security analysis of DRAM-based attacks; most notably, Rowhammer. Although previous work tackled the issue of reversing physical-to-DRAM mapping, existing heuristic-based reverse-engineering approaches are partial, costly, and impractical for comprehensive recovery. This paper establishes a rigorous theoretical foundation and provides efficient practical algorithms for black-box, complete physical-to-DRAM address-mapping recovery. We first formulate the reverse-engineering problem within a linear algebraic model over the finite field GF(2). We characterize the timing fingerprints of row-buffer conflicts, proving a relationship between a bank addressing matrix and an empirically constructed matrix of physical addresses. Based on this characterization, we develop an efficient, noise-robust, and fully platform-agnostic algorithm to recover the full bank-mask basis in polynomial time, a significant improvement over the exponential search from previous works. We further generalize our model to complex row mappings, introducing new hardware-based hypotheses that enable the automatic recovery of a row basis instead of previous human-guided contributions. Evaluations across embedded and server-class architectures confirm our method's effectiveness, successfully reconstructing known mappings and uncovering previously unknown scrambling functions. Our method provides a 99% recall and accuracy on all tested platforms. Most notably, Knock-Knock runs in under a few minutes, even on systems with more than 500GB of DRAM, showcasing the scalability of our method. Our approach provides an automated, principled pathway to accurate DRAM reverse engineering.

Related papers

Function Recovery Attacks in Gate-Hiding Garbled Circuits using SAT Solving [18.958044099636982]
Semi-Private Function Evaluation enables joint computation while protecting both input data and function logic.<n>We analyze the empirical security of gate hiding under two adversarial models that capture realistic computational capabilities.<n>We present a SAT-based function-recovery attack that reconstructs hidden gate operations from a circuit's public topology.
arXiv Detail & Related papers (2026-01-19T18:15:12Z)
$ρ$Hammer: Reviving RowHammer Attacks on New Architectures via Prefetching [37.49955872834092]
Rowhammer is a critical vulnerability in dynamic random access memory (DRAM)<n>We present $rho$Hammer, a new Rowhammer framework that overcomes three core challenges impeding attacks on new architectures.<n>$rho$Hammer induces up to 200K+ additional bit flips within 2-hour attack pattern fuzzing processes and has a 112x higher flip rate than the load-based hammering baselines.
arXiv Detail & Related papers (2025-10-18T15:40:53Z)
OpenGL GPU-Based Rowhammer Attack (Work in Progress) [0.0]
This paper presents an adaptive, many-sided Rowhammer attack utilizing GPU compute shaders.<n>Our approach employs statistical distributions to optimize row targeting and avoid current mitigations.<n> Experimental results on a Raspberry Pi 4 demonstrate that the GPU-based approach attains a high rate of bit flips compared to traditional CPU-based hammering.
arXiv Detail & Related papers (2025-09-24T10:11:05Z)
Zobrist Hash-based Duplicate Detection in Symbolic Regression [0.5439020425819]
Genetic Programming (GP) is an evolutionary search method that evolves a population of mathematical expressions through the mechanism of natural selection.<n>We show that many points in the search space are re-visited and re-evaluated multiple times by the algorithm, leading to wasted computational effort.<n>We introduce a caching mechanism based on the Zobrist hash, a type of hashing frequently used in abstract board games.
arXiv Detail & Related papers (2025-08-19T14:18:16Z)
Sudoku: Decomposing DRAM Address Mapping into Component Functions [1.5452318623316106]
Decomposing DRAM address mappings into component-level functions is critical for understanding memory behavior and enabling precise RowHammer attacks.<n>We introduce novel timing-based techniques leveraging DRAM refresh intervals and consecutive access latencies to infer component-specific functions.<n>We present Sudoku, the first software-based tool to automatically decompose full DRAM address mappings into channel, rank, bank group, and bank functions while identifying row and column bits.
arXiv Detail & Related papers (2025-06-18T23:41:49Z)
Finding Transformer Circuits with Edge Pruning [71.12127707678961]
We propose Edge Pruning as an effective and scalable solution to automated circuit discovery.<n>Our method finds circuits in GPT-2 that use less than half the number of edges compared to circuits found by previous methods.<n>Thanks to its efficiency, we scale Edge Pruning to CodeLlama-13B, a model over 100x the scale that prior methods operate on.
arXiv Detail & Related papers (2024-06-24T16:40:54Z)
Iterative Sketching for Secure Coded Regression [66.53950020718021]
We propose methods for speeding up distributed linear regression. Specifically, we randomly rotate the basis of the system of equations and then subsample blocks, to simultaneously secure the information and reduce the dimension of the regression problem.
arXiv Detail & Related papers (2023-08-08T11:10:42Z)
A Linearly Convergent GAN Inversion-based Algorithm for Reverse Engineering of Deceptions [1.2891210250935146]
We propose a novel framework for reverse engineering of deceptions that supposes that the clean data lies in the range of a GAN. For the first time in the literature, we provide deterministic linear convergence guarantees for this problem.
arXiv Detail & Related papers (2023-06-07T20:08:27Z)
Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits [55.740716446995805]
We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Our goal is to misclassify a specific sample into a target class without any sample modification. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
arXiv Detail & Related papers (2021-02-21T03:13:27Z)
Phase Retrieval using Expectation Consistent Signal Recovery Algorithm based on Hypernetwork [73.94896986868146]
Phase retrieval is an important component in modern computational imaging systems. Recent advances in deep learning have opened up a new possibility for robust and fast PR. We develop a novel framework for deep unfolding to overcome the existing limitations.
arXiv Detail & Related papers (2021-01-12T08:36:23Z)
ROME: Robustifying Memory-Efficient NAS via Topology Disentanglement and Gradient Accumulation [106.04777600352743]
Differentiable architecture search (DARTS) is largely hindered by its substantial memory cost since the entire supernet resides in the memory. The single-path DARTS comes in, which only chooses a single-path submodel at each step. While being memory-friendly, it also comes with low computational costs. We propose a new algorithm called RObustifying Memory-Efficient NAS (ROME) to give a cure.
arXiv Detail & Related papers (2020-11-23T06:34:07Z)
One-step regression and classification with crosspoint resistive memory arrays [62.997667081978825]
High speed, low energy computing machines are in demand to enable real-time artificial intelligence at the edge. One-step learning is supported by simulations of the prediction of the cost of a house in Boston and the training of a 2-layer neural network for MNIST digit recognition. Results are all obtained in one computational step, thanks to the physical, parallel, and analog computing within the crosspoint array.
arXiv Detail & Related papers (2020-05-05T08:00:07Z)

This list is automatically generated from the titles and abstracts of the papers in this site.