www.iaik.tugraz.at
Software-basedMicroarchitectural AttacksDaniel GrussIAIK, Graz University of Technology
June 14, 2017 — PhD Defense
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense1
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
National Geographic
www.iaik.tugraz.at
Software-based Side-Channel Attacks
security and privacy rely on secrets (unknown to attackers)
secrets can leak through side channels
software-based → no physical access
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense4
www.iaik.tugraz.at
Software-based Side-Channel Attacks
security and privacy rely on secrets (unknown to attackers)
secrets can leak through side channels
software-based → no physical access
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense4
www.iaik.tugraz.at
Plan (from March 2015)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense5
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
Rowhammer.js
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
Rowhammer.js
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
DRAMA
Rowhammer.js
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
ARMageddon
Prefetch
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
www.iaik.tugraz.at
1. Introduction
2. Background
3. Contributions
4. Conclusion
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense8
www.iaik.tugraz.at
CPU Caches
buffer frequently used slow memory for the fast CPU
every memory reference goes through the cache
transparent to OS and programs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense9
www.iaik.tugraz.at
Memory Access Latency
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense10
www.iaik.tugraz.at
Memory Access Latency
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense10
www.iaik.tugraz.at
A simple cache
Memory Address Cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffset
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffsetIndex
2n cache sets
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffsetIndexTag
2n cache sets
Way 2 Tag Way 2 DataWay 1 Tag Way 1 Data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
→ shared memory shared is incache, across cores!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
→ shared memory shared is incache, across cores!
function maps addresses to slices (Maurice, Le Scouarnec, et al. 2015)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
reloads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense14
Cache Template Attack Demo
www.iaik.tugraz.at
Cache Template
AD
DR
ES
S
KEYg h i j k l m n o p q r s t u v w x y z
0x7c6800x7c6c00x7c7000x7c7400x7c7800x7c7c00x7c8000x7c8400x7c8800x7c8c00x7c9000x7c9400x7c9800x7c9c00x7ca000x7cb800x7cc400x7cc800x7ccc00x7cd00
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense16
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense17
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address Space
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Attacker generatesa page suspectedin victim process
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Attacker waitsfor deduplication
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Attacker waitsfor deduplication
t = time();p[0] = p[0];∆ = time() - t;
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write and measure ∆
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write and measure ∆
copy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
www.iaik.tugraz.at
Our Attack
First page deduplication attack which
detects CSS files/images on websites,
runs in JavaScript (no rdtsc, no addresses),
runs on KVM, Windows 8.1 and Android.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense19
www.iaik.tugraz.at
Detect Image (JavaScript, Cross-VM, KVM)
500 1,000 1,500 2,000 2,500 3,000 3,500102
103
104
105
Page
Nan
osec
onds
Image not loaded Image loaded
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense20
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense21
www.iaik.tugraz.at
Rowhammer
Rowhammer: DRAM bug that causes bit flips (Kim et al. 2014)
Bug used in security exploits (Seaborn 2015)
Only non-cached accesses reach DRAM
Very similar to Flush+Reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense22
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
wait for it. . .
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
bit flip!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1lo
ad
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1lo
ad
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
repeat!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
reload
reload
wait for it. . .
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
bit flip!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
www.iaik.tugraz.at
Rowhammer without clflush
Challenges:
1. How to get accurate timing (in JS)?
2. How to get physical addresses (in JS)?
3. Which physical addresses to access?
4. In which order to access them?
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense25
www.iaik.tugraz.at
Rowhammer without clflush
Challenges:
1. How to get accurate timing (in JS)? → easy
2. How to get physical addresses (in JS)? → easy
3. Which physical addresses to access? → already solved
4. In which order to access them? → our contribution
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense25
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
load
9
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 49
load
10
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910
load
11
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11load
12
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 12
load
13
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213
load
14
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213 14
load
15
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213 1415
load
16
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
load
9
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 49
load
10
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910
load
11
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11
load
12
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112
load
13
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 13
load
14
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314load
15
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 15load
16
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
L: step size of the inneraccess loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
L: step size of the inneraccess loop
C: number of repetitions of theinner access loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17P-1-1-1-20 20
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7P-1-1-1-20 20 99.82% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3 180 ns 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3 180 ns 3
→ more accesses, smaller execution time? Executed in a loop, on aHaswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended)
Miss(intended)
Miss(intended)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H
Miss(intended)
Miss(intended) H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
www.iaik.tugraz.at
Evaluation on Haswell
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70100
102
104
106
Refresh interval in µs (BIOS configuration)
Bit
flips
clflush Evict (Native) Evict (JavaScript)
Figure: Number of bit flips within 15 minutes.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense32
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense33
www.iaik.tugraz.at
Flush+Flush: Motivation
cache attacks → many cache misses
detect via performance counters
→ good idea, but not good enough
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense34
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared linestep 2: victim loads data while performing encryption
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker reloads data → fast access if the victim loaded the line
reloads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cache
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryption
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker flushes data → high execution time if the victim loaded the line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
www.iaik.tugraz.at
Flush+Flush: Conclusion
496 KB/s covert channel
same side channel targets as Flush+Reload
attacker causes no cache misses
→ fast→ stealthy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense37
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense38
www.iaik.tugraz.at
Cache Attacks on mobile devices?
powerful cache attacks on Intel x86 in the last 10 years
nothing like Flush+Reload or Prime+Probe on mobile devices
→ why?
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense39
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction
2. pseudo-random replacement
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive → let L1 spill to L2
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive → let L1 spill to L2
5. multiple CPUs → remote fetches + flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
ARMageddon Demo
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense42
www.iaik.tugraz.at
Prefetch: Motivation
PDPT PD PT cached P. uncached P.
200
300
400
230246
222
181
383
Mapping level
Exe
cutio
ntim
e
Idea: Would this also work on inaccessible kernel memory?Daniel Gruss, IAIKJune 14, 2017 — PhD Defense43
www.iaik.tugraz.at
Prefetch: Kernel Memory Layout
Virtual address spaceUser Kernel
Physical memory
0
0 max. phys.
247 −247 −1
direct
map
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense44
www.iaik.tugraz.at
Prefetching Kernel Addresses
0 20 40 60 80 100 120 140 160 180 200 220 240100
150
200
250
Page offset in kernel direct map
Min
.ac
cess
late
ncy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense45
www.iaik.tugraz.at
Prefetch: Locate Kernel Driver (defeat KASLR)
0 4,000 8,000 12,000
90
100
110
120
Page offset in kernel driver region
Avg
.ex
ecut
ion
time
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense46
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
www.iaik.tugraz.at
Author’s Publications in this Thesis I
1. Daniel Gruss, Raphael Spreitzer, et al. (2015). “Cache Template Attacks:Automating Attacks on Inclusive Last-Level Caches”. In: USENIX SecuritySymposium
2. Daniel Gruss, David Bidner, et al. (2015). “Practical Memory DeduplicationAttacks in Sandboxed JavaScript”. In: ESORICS’15
3. Daniel Gruss, Clementine Maurice, Klaus Wagner, et al. (2016). “Flush+Flush:A Fast and Stealthy Cache Attack”. In: DIMVA’16
4. Daniel Gruss, Clementine Maurice, and Stefan Mangard (2016).“Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript”. In:DIMVA’16
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense48
www.iaik.tugraz.at
Author’s Publications in this Thesis II5. Moritz Lipp et al. (2016). “ARMageddon: Cache Attacks on Mobile Devices”.
In: USENIX Security Symposium
6. Daniel Gruss, Clementine Maurice, Anders Fogh, et al. (2016). “PrefetchSide-Channel Attacks: Bypassing SMAP and Kernel ASLR”. In: CCS’16
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense49
www.iaik.tugraz.at
Further Contributions I
1. Peter Pessl et al. (2016). “DRAMA: Exploiting DRAM Addressing forCross-CPU Attacks”. In: USENIX Security Symposium
2. Victor van der Veen et al. (2016). “Drammer: Deterministic RowhammerAttacks on Mobile Platforms”. In: CCS’16
3. Clementine Maurice, Manuel Weber, et al. (2017). “Hello from the Other Side:SSH over Robust Cache Covert Channels in the Cloud”. In: NDSS’17
4. Michael Schwarz, Clementine Maurice, et al. (2017). “Fantastic Timers andWhere to Find Them: High-Resolution Microarchitectural Attacks inJavaScript”. In: Financial Cryptography 2017
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense50
www.iaik.tugraz.at
Further Contributions II5. Daniel Gruss, Moritz Lipp, et al. (2017). “KASLR is Dead: Long Live KASLR”.
In: ESSoS’17. (to appear)
6. Michael Schwarz, Daniel Gruss, et al. (2017). “Malware Guard Extension:Using SGX to Conceal Cache Attacks ”. In: DIMVA’17. (to appear)
7. Daniel Gruss, Julian Lettner, et al. (2017). “Strong and Efficient CacheSide-Channel Protection using Hardware Transactional Memory”. In: USENIXSecurity Symposium. (to appear)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense51
www.iaik.tugraz.at
Software-basedMicroarchitectural AttacksDaniel GrussIAIK, Graz University of Technology
June 14, 2017 — PhD Defense
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense52
www.iaik.tugraz.at
Bibliography I
Gruss, Daniel, David Bidner, et al. (2015). “Practical Memory Deduplication Attacksin Sandboxed JavaScript”. In: ESORICS’15.
Gruss, Daniel, Julian Lettner, et al. (2017). “Strong and Efficient CacheSide-Channel Protection using Hardware Transactional Memory”. In: USENIXSecurity Symposium. (to appear).
Gruss, Daniel, Moritz Lipp, et al. (2017). “KASLR is Dead: Long Live KASLR”. In:ESSoS’17. (to appear).
Gruss, Daniel, Clementine Maurice, Anders Fogh, et al. (2016). “PrefetchSide-Channel Attacks: Bypassing SMAP and Kernel ASLR”. In: CCS’16.
Gruss, Daniel, Clementine Maurice, and Stefan Mangard (2016). “Rowhammer.js:A Remote Software-Induced Fault Attack in JavaScript”. In: DIMVA’16.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense53
www.iaik.tugraz.at
Bibliography IIGruss, Daniel, Clementine Maurice, Klaus Wagner, et al. (2016). “Flush+Flush: A
Fast and Stealthy Cache Attack”. In: DIMVA’16.Gruss, Daniel, Raphael Spreitzer, et al. (2015). “Cache Template Attacks:
Automating Attacks on Inclusive Last-Level Caches”. In: USENIX SecuritySymposium.
Kim, Yoongu et al. (2014). “Flipping bits in memory without accessing them: Anexperimental study of DRAM disturbance errors”. In: ISCA’14.
Lipp, Moritz et al. (2016). “ARMageddon: Cache Attacks on Mobile Devices”. In:USENIX Security Symposium.
Maurice, Clementine, Nicolas Le Scouarnec, et al. (2015). “Reverse EngineeringIntel Complex Addressing Using Performance Counters”. In: RAID’15.
Maurice, Clementine, Manuel Weber, et al. (2017). “Hello from the Other Side: SSHover Robust Cache Covert Channels in the Cloud”. In: NDSS’17.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense54
www.iaik.tugraz.at
Bibliography IIIPessl, Peter et al. (2016). “DRAMA: Exploiting DRAM Addressing for Cross-CPU
Attacks”. In: USENIX Security Symposium.Schwarz, Michael, Daniel Gruss, et al. (2017). “Malware Guard Extension: Using
SGX to Conceal Cache Attacks ”. In: DIMVA’17. (to appear).Schwarz, Michael, Clementine Maurice, et al. (2017). “Fantastic Timers and Where
to Find Them: High-Resolution Microarchitectural Attacks in JavaScript”. In:Financial Cryptography 2017.
Seaborn, Mark (2015). Exploiting the DRAM rowhammer bug to gain kernelprivileges. Retrieved on June 26, 2015. URL:http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-
rowhammer-bug-to-gain.html.Veen, Victor van der et al. (2016). “Drammer: Deterministic Rowhammer Attacks on
Mobile Platforms”. In: CCS’16.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense55