Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers
This addresses a critical security threat for cloud providers by providing a practical testing framework, though it is incremental as it builds on existing Rowhammer research.
The paper tackled the problem of systematically testing cloud servers for susceptibility to Rowhammer attacks, developing an end-to-end methodology that revealed prior CPU instruction sequences were insufficient and created a new sequence and DDR4 fault injector to achieve near-optimal hammering rates and reverse engineer row adjacency.
Cloud providers are concerned that Rowhammer poses a potentially critical threat to their servers, yet today they lack a systematic way to test whether the DRAM used in their servers is vulnerable to Rowhammer attacks. This paper presents an end-to-end methodology to determine if cloud servers are susceptible to these attacks. With our methodology, a cloud provider can construct worst-case testing conditions for DRAM. We apply our methodology to three classes of servers from a major cloud provider. Our findings show that none of the CPU instruction sequences used in prior work to mount Rowhammer attacks create worst-case DRAM testing conditions. To address this limitation, we develop an instruction sequence that leverages microarchitectural side-effects to ``hammer'' DRAM at a near-optimal rate on modern Intel Skylake and Cascade Lake platforms. We also design a DDR4 fault injector that can reverse engineer row adjacency for any DDR4 DIMM. When applied to our cloud provider's DIMMs, we find that DRAM rows do not always follow a linear map.