Fall School on Nano-Electronics for Secure Systems, 10.-11.11.2021

Description

This tutorial takes you through all the steps of a Rowhammer attack on modern systems. In the first part of the tutorial, we will explain the basic operations of a DRAM device that you need to know for triggering Rowhammer bit flips. We then show you how to reverse engineer the DRAM addressing functions using a timing attack on the CPU's memory controller. You will apply this knowledge in a hands-on assignment to reverse engineer the addressing function on an Intel-based system. In the second part of the tutorial, we will discuss the in-DRAM Target Row Refresh mitigations and how they can be bypassed to trigger Rowhammer bit flips on recent DDR4 devices. Armed with this knowledge, you will build a Rowhammer fuzzer that can generate suitable access patterns that trigger bit flips. We will conclude by discussing how you can turn these bit flips into effective end-to-end exploits.

Tutors

Kaveh Razavi leads the COMSEC group (comsec.ethz.ch) as an assistant professor in the Department of Information Technology and Electrical Engineering at ETH Zurich. Previously he established the hardware security track at the VUSec group in Amsterdam, first as a postdoc and later as an assistant professor. His research interests are in the area of systems security and more broadly, computer systems. Most recently his team has been studying the (in)effectiveness of mitigations deployed against hardware vulnerabilities and how these mitigations can be improved.

Patrick Jattke is a PhD student in the Department of Information Technology and Electrical Engineering at ETH Zurich since 2020. He has broad interests in many different facets of hardware security, especially DRAM and microarchitectural security. Previously, he worked on advanced optimization strategies for making Fully Homomorphic Encryption accessible to non-experts.

Description

The shared FPGA platform in the cloud is based on the concept that the FPGA real estate can be shared among various users, probably event at different privilege levels. Such multi-tenancy comes with new security challenges, in which one user, while being completely logically isolated from another, can cause security breaches to another user on the same FPGA. In addition, such a hardware security vulnerability does not require physical access to the hardware to perform measurements or fault attacks, hence it can be done completely remotely. This hands-on tutorial will explore the remote active and passive attacks at the electrical level for multi-tenant FPGAs in the cloud and discusses possible countermeasures to deal with such security vulnerabilities.

Tutors

Mehdi Tahoori is currently a Full Professor and the Chair of Dependable Nano-Computing at Karlsruhe Institute of Technology, Germany. He received the B.S. degree in computer engineering from the Sharif University of Technology, Tehran, Iran, in 2000, and the M.S. and Ph.D. degrees in electrical engineering from Stanford University, Stanford, CA, in 2002 and 2003, respectively. In 2003, he was an Assistant Professor with the Department of Electrical and Computer Engineering, Northeastern University, where he became an Associate Professor in 2009. He has authored over 400 publications in major journals and conference proceedings on dependable computing and emerging nanotechnologies, and holds several US and European patents. He was the editor-in-chief of Microelectronic Reliability journal, and associate editor of ACM JETC and IET Computers and Digital Techniques. He is currently associate editor for IEEE Design and Test Magazine, and coordinating editor for Springer Journal of Electronic Testing (JETTA). He was the program chair of VLSI Test Symposium and General Chair of European Test Symposium. Prof. Tahoori was a recipient of the National Science Foundation Early Faculty Development (CAREER) Award. He has received a number of best paper nominations and awards at various conferences and journals. He is a fellow of the IEEE.

Dennis Gnad received his B.Eng. degree in Computer Engineering from Hochschule Pforzheim University, Germany in 2011, where he did his Bachelor Thesis in Cooperation with Texas Instruments Germany. In 2015, he received his M.Sc. in Computer Science from Karlsruhe Institute of Technology (KIT), Germany. In his Master Thesis he worked with the ITEC/CES group of Prof. Henkel with Dr. Shafique. In 2015, he became a PhD student at the ITEC/CDNC group of Prof. Mehdi Tahoori and later received his PhD degree (Dr.-Ing.) in 2020 with distinction (summa cum laude), and the dissertation "Remote Attacks on FPGA Hardware". His current research interests are in hardware security, primarily focussed on FPGA-based systems.

Jonas Krautter received his B.Sc. and M.Sc. degrees in Computer Science from Karlsruhe Institute of Technology in 2015 and 2018 respectively. He is now a PhD student at the CDNC group of Prof. Mehdi B. Tahoori at Karlsruhe Institute of Technology since April 2018, working on hardware security.