Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers

Explore an end-to-end methodology for cloud providers to assess their servers' vulnerability to Rowhammer attacks in this 17-minute IEEE conference talk. Learn about the challenges in creating worst-case DRAM testing conditions and discover a novel instruction sequence that leverages microarchitectural side-effects to "hammer" DRAM at near-optimal rates on modern Intel platforms. Gain insights into the development of a DDR4 fault injector for reverse engineering row adjacency and understand why DRAM rows may not always follow a linear map. Delve into the landscape of Rowhammer, key testing requirements, and the limitations of previous instruction sequences used in Rowhammer attacks. Uncover the importance of masking refresh commands and examine the complete hardware stack used in this comprehensive approach to evaluating Rowhammer susceptibility in cloud environments.

Intro
Landscape of Rowhammer
Rowhammer Primer
Two Key Requirements for Rowhammer Testing
Challenges in Generating Highest Rate of ACTS
Typical Rowhammer Instruction Sequence
Rate of ACTs from Previous Instruction Sequences
Our Near-Optimal Instruction Sequence on Skylake
Determining Physically Adjacent Rows
Previous Reverse-Engineering Methodology Relies on Rowhammer
Mount a Devastating Rowhammer by Masking Refreshes (REF)
Fault Injector that Masks Refresh Commands
Our Complete Hardware Stack
Row Adjacency Map
Key Takeaways
An end-to-end methodology to test if any cloud server is susceptible to Rowhammer