News Newly Demoed JackHammer Cyberattack Uses FPGA-CPU Combo to Attack Memory

jgraham11

Distinguished
Jan 15, 2010
18
2
18,515
0
Wow, take a look at the original Row Hammer Attacks page 4. They ran the same disturbance attack on AMD and Intel systems but the Intel system sucked quite a bit more (by orders of magnitude):

This table shows the number of bits flipped when they ran the flipping (disturbance) code:

Bit-Flip-----Sandy Bridge---Ivy Bridge----Haswell----Piledriver

‘0’ ‘1’ -------7;992------------10;273------11;404---------47

‘1’ ‘0’--------8;125------------10;449------11;467---------12
 

bit_user

Splendid
Herald
Couldn't you fix Row Hammer, at the silicon level? I'm not saying it's trivial, but maybe repeated reads could somehow trigger a self-refresh of a page.

Anyway, these attacks require very low-level access, if you want to target a specific value, in memory. Otherwise, it seems to me that their primary purpose would just be to cause general havoc. And, if cloud operators are on their game, they could catch bad actors by correlating high incidents of ECC errors with the malicious code.
 

Alexander Holland

Honorable
May 23, 2014
1
0
10,510
0
The original article author (or myself?) seem to have miss understood the jackhammer whitepaper. It's not about using FPGAs to enhance attacks but that FPGAs which contain a hard CPU themselves being susceptible to attacks. Interesting but today purely academic.
 

bit_user

Splendid
Herald
The original article author (or myself?) seem to have miss understood the jackhammer whitepaper. It's not about using FPGAs to enhance attacks but that FPGAs which contain a hard CPU themselves being susceptible to attacks. Interesting but today purely academic.
No. Honestly, how do you even look at the paper and come away with that interpretation?

From the abstract:
After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. These heterogeneous FPGA-CPU architectures break common assumptions about isolation and security boundaries. Since the FPGA and CPU architectures share hardware resources, a new class of vulnerabilities requires us to reassess the security and dependability of these platforms.

In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled on two proposed heterogeneous FPGA-CPU platforms by Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We show that while Intel PACs currently are immune to cache attacks from FPGA to CPU, the integrated platform is indeed vulnerable to Prime and Probe style attacks from the FPGA to the CPU’s last level cache. Further, we demonstrate JackHammer, a novel and efficient Rowhammer from the FPGA to the host’s main memory.
Observations:
  1. It's quite clear that the focus of the PCIe-based "expansion card" setup was to attack the host.
  2. The "Arria 10 GX with an integrated FPGA-CPU platform" is referring to this: https://www.nextplatform.com/2018/05/24/a-peek-inside-that-intel-xeon-fpga-hybrid-chip/
  3. The last sentence further emphasizes that they're concerned about the host (i.e. multi-tenant cloud server).
#2 is further reinforced by the part where they explain:
The integrated Intel Arria 10 is based on a prototype E5- 2600v4 CPU with 12 physical cores. The prototype CPU has a Broadwell architecture in which the last level cache (LLC) is inclusive of the L1/L2 caches. The CPU package has an integrated Arria 10 GX 1150 FPGA running at 400 MHz.

If you need further evidence, search for the text "Intel FPGA Platforms", where they include a detailed description of the hardware they're using.

I'm aware that these FPGAs contain embedded ARM hard-cores, however ARM is only mentioned down in the references, whereas Xeon is mentioned throughout the paper.
 

ASK THE COMMUNITY

TRENDING THREADS