International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

Authors:
Zane Weissman , Worcester Polytechnic Institute, MA, USA
Thore Tiemann , University of Lübeck, Lübeck, Germany
Daniel Moghimi , Worcester Polytechnic Institute, MA, USA
Evan Custodio , Intel Corporation, Hudson, MA, USA
Thomas Eisenbarth , University of Lübeck, Lübeck, Germany
Berk Sunar , Worcester Polytechnic Institute, MA, USA
Download:
DOI: 10.13154/tches.v2020.i3.169-195
URL: https://tches.iacr.org/index.php/TCHES/article/view/8587
Search ePrint
Search Google
Abstract: After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. Heterogeneous FPGA-CPU microarchitectures require reassessment of common assumptions about isolation and security boundaries, as they introduce new attack vectors and vulnerabilities. In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled by two proposed heterogeneous FPGA-CPU platforms from Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We demonstrate JackHammer, a novel, efficient, and stealthy Rowhammer from the FPGA to the host’s main memory. Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer from the CPU on the same system and causes around four times as many bit flips as the CPU attack. We demonstrate the efficacy of JackHammer from the FPGA through a realistic fault attack on the WolfSSL RSA signing implementation that reliably causes a fault after an average of fifty-eight RSA signatures, 25% faster than a CPU Rowhammer. In some scenarios our JackHammer attack produces faulty signatures more than three times more often and almost three times faster than a conventional CPU Rowhammer. Finally, we systematically analyze new cache attacks in these environments following demonstration of a cache covert channel across FPGA and CPU.
Video from TCHES 2020
BibTeX
@article{tches-2020-30388,
  title={JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 3},
  pages={169-195},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8587},
  doi={10.13154/tches.v2020.i3.169-195},
  author={Zane Weissman and Thore Tiemann and Daniel Moghimi and Evan Custodio and Thomas Eisenbarth and Berk Sunar},
  year=2020
}