



# OWHAMMERJS

ROOT privileges for web apps!

Test



file:///home/dgruss/rowhammerjs/rowhammer.html



320: 12

330: 9

340: 1

350: 0

360: 1

370: 2

380: 199

390: 76

400: 72

410: 231

420: 572

1250

[!] Found flip (254 != 255) at array index 340021386 when hammering indices 339881984 and 340156416

[!] Found flip (239 != 255) at array index 340022176 when hammering indices 339881984 and 340156416

[!] Found flip (191 != 255) at array index 340023138 when hammering indices 339881984 and 340156416

[!] Found flip (254 != 255) at array index 340025146 when hammering indices 339881984 and 340156416

# DRAM organisation



# DRAM organisation



64k cells  
1 capacitor,  
1 transistor each

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Rowhammer



- Cells leak → need **refresh**
- Max. refresh interval to guarantee **data integrity**
- Cells leak faster upon proximate accesses → Rowhammer

# Search for page with flip

## Hammering memory locations in different rows

# Search for page with flip

## Hammering memory locations in different rows

# Search for page with flip

## Hammering memory locations in different rows

# Search for page with flip



Hammering memory locations in different rows

# Search for page with flip



Hammering memory locations in different rows

# Search for page with flip



Hammering memory locations in different rows

# Search for page with flip



Hammering memory locations in different rows

# Search for page with flip

## Hammering memory locations in different rows

# Search for page with flip



Hammering memory locations in different rows

# Page Table Example



# Page Table Example



# Page Table Example



# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



HLT

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



XORB

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 0 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



PUSHQ

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 0 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



<prefix>

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 0 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



JL

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 1 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



1

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



JO

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 0 | 0 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



JBE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 1 | 0 |
|---|---|---|---|---|---|---|---|

# Code Page Example

JE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
|---|---|---|---|---|---|---|---|



JNE

|   |   |   |   |   |   |   |   |
|---|---|---|---|---|---|---|---|
| 0 | 1 | 1 | 1 | 0 | 1 | 0 | 1 |
|---|---|---|---|---|---|---|---|



- DDR3 affected
- DDR4 affected
- Even ECC affected despite error correction!
  - Can SGX's integrity protection prevent Rowhammer?



# Plundervolt: Flipping Bits from Software without Rowhammer

Kit Murdock, Daniel Gruss, David Oswald



# Memory Mapped Registers



# DVFS

Adrian Tang et al. "CLKSCREW: exposing  
the perils of security-oblivious energy  
management"

In: USENIX Security Symposium 2017

# CLKscrew attack



# Trustzone v normal world





- Infer secret AES key that was stored within Trustzone
- Trick Trustzone into loading a self-signed app

Pengfei Qiu et al. "VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies"  
In: CCS 2019

# ARM

# What about Intel?







Huge difference!!!

Huge difference!!!



**RightMark CPU Clock Utility**

**CPU info**

**CPU-Z**

**Processor**

|               |                     |
|---------------|---------------------|
| Name          | AMD Opteron 170     |
| Code Name     | Toledo              |
| Package       | Socket F            |
| Technology    | 90 nm               |
| Specification | Dual Core AMD       |
| Family        | F                   |
| Ext. Family   | F                   |
| Instructions  | MMX (+), 3DNow! (+) |

**Clocks (Core#0)**

|            |            |
|------------|------------|
| Core clock | 2010.30    |
| Core Speed | 2651.4 MHz |
| Throttle   | 2010.30    |
| Core temp. | 51.2°      |
| Multiplier | x 10.0     |
| Bus Speed  | 265.1 MHz  |
| HT Link    | 795.4 MHz  |

**PM features**

|            |            |
|------------|------------|
| Core clock | 2010.30    |
| Core Speed | 2651.4 MHz |
| Throttle   | 2010.30    |
| Core temp. | 51.2°      |
| Multiplier | x 10.0     |
| Bus Speed  | 265.1 MHz  |
| HT Link    | 795.4 MHz  |

**Multiplier (FID)**

|                 |        |
|-----------------|--------|
| Current         | 10.0x  |
| Req.Vcore (VID) | 1.200V |

**Selection**: Processor #1

**CPU 0** **CPU 1**

**Save diagnostic info**

**CPU-Tweaker 2.0**

**CPU**

|        |                                    |       |       |               |       |
|--------|------------------------------------|-------|-------|---------------|-------|
| Model  | AMD Phenom(tm) II X4 965 Processor | CPUID | F43   | Rev.          | C3    |
| Socket | AM3 (941)                          | Tech. | 45 nm | Cores/Threads | 4 / 4 |
| VCore  | 0.000 V                            |       |       |               |       |

**MotherBoard**

|         |                       |              |                |
|---------|-----------------------|--------------|----------------|
| Vendor  | ASUSTeK Computer INC. | Model        | M4A88TD-M/USB3 |
| Chipset | AMD 785GX             | BIOS version | 0902           |
| Date    | 12/10/2010            |              |                |

**Memory**

|      |          |              |                          |          |          |
|------|----------|--------------|--------------------------|----------|----------|
| Type | DDR3     | Manufacturer |                          | Part Nb. |          |
| Size | 2 x 4096 | Speed        | 1000 (63MHz) @ 7.5.5.17- | Chan.    | Unganged |

**System Frequency**

|        |           |            |
|--------|-----------|------------|
| BCLK   | 200.9 MHz |            |
| Cores  | x 4.00    | 803.6 MHz  |
| UnCore | x 10      | 2008.9 MHz |
| HT     | x 10      | 2008.9 MHz |
| RAM    | 3:10      | 669.6 MHz  |

**Timings**

|                           |    |       |         |
|---------------------------|----|-------|---------|
| Channels                  | A  | VDimm | 0.000 V |
| CAS# Latency (CL)         | 7  |       |         |
| RAS# to CAS# Delay (tRCD) | 9  |       |         |
| RAS# Precharge (tRP)      | 9  |       |         |
| Precharge Delay (tRAS)    | 24 |       |         |
| Command Rate (CR)         | 1T |       |         |

**Profile Information**

**Profile**

|                   |  |                   |  |                   |  |                   |  |
|-------------------|--|-------------------|--|-------------------|--|-------------------|--|
| Core 0 Multiplier |  | Core 1 Multiplier |  | Core 2 Multiplier |  | Core 3 Multiplier |  |
| Core 4 Multiplier |  | Core 5 Multiplier |  |                   |  |                   |  |
| HT ref. Clock     |  | PCIe® Speed       |  | IGP Speed         |  | SidePort Speed    |  |
| CPU VID           |  | NB VID            |  | Mem VDDQ          |  | Mem VTT           |  |
| CPU VDDC          |  | NB Core Voltage   |  | NB PCIe® Voltage  |  | CPU HT Voltage    |  |
| Memory Clock      |  | RAS to CAS Delay  |  | Command Rate      |  | Row Cycle Time    |  |

**Buttons**: OK, Cancel, Apply, Discard



# Static & dynamic voltage



# Will it fault?

```
uint64_t multiplier      = 0x1122334455667788;
uint64_t correct        = 0xdeadbeef*multiplier;
uint64_t var            = 0xdeadbeef*multiplier;

// start undervolting

while ( var == correct )
{
    var = 0xdeadbeef * multiplier;
}

// stop undervolting
// Can we ever get here?
uint64_t flipped_bits = var ^ correct;
```

bagger> |

|

**Intel SGX**



# Physical Memory





- Bit flips in the EPC?
- Integrity check fails!
- → **Lock up memory controller**
- → System halts immediately (no exploit, but DoS!)

**Will Plundervolt  
work in SGX?**



- Public Key Cryptography
- Untrusted

Intel's example code for RSA implementations uses the Chinese Remainder Theorem optimisation

# RSA Signature/Decryption with CRT

$$n = p \times q$$

$$d_p = d \bmod p - 1$$

$$M = C^d \bmod n$$

$$d_q = d \bmod q - 1$$

$$m_p = C^{dp} \bmod p$$



M'

$$m_q = C^{dq} \bmod q$$

$$M = (p^{-1} \bmod q) \times (m_q - m_p) \times p + m_p$$



- Bellcore:  $\gcd(M' - M, n)$
- Lenstra:  $\gcd((M')^e - C, n)$
- yields  $p$  or  $q$  (and dividing  $n$  by it gives the other)

```
// Start undervolting
uint8_t rsa_dec_ecall(int iterations)
{
    //Wait for first fault
    trigger_fault(iterations);

    //Actual decryption
    ippRSA_Decrypt(ct, dec, pPrv, scratchBuffer);
}

// Stop undervolting
```

```
bagger> dog Enclave/encl
```

**What else can  
we break?**



- Symmetric key crypto
- Encrypt messages for transfer over public channel and data for (untrusted) storage
- 4 × 4 byte state, 10 rounds:  
SubBytes, ShiftRows, MixColumns, AddRoundKey
- HW-accelerated with AES-NI

| Instruction     | Description                                      |
|-----------------|--------------------------------------------------|
| AESENC          | Perform one round of an AES encryption flow      |
| AESENCLAST      | Perform the last round of an AES encryption flow |
| AESDEC          | Perform one round of an AES decryption flow      |
| AESDECLAST      | Perform the last round of an AES decryption flow |
| AESKEYGENASSIST | Assist in AES round key generation               |
| AESIMC          | Assist in AES Inverse Mix Columns                |
| PCLMULQDQ       | Carryless multiply ( <a href="#">CLMUL</a> )     |

# Differential Fault Analysis Attack

# Differential Fault Attack on AES



```
// Start undervolting
do
{
    plaintext= <randomlygenerated>;
    result1=aes128_encryption(plaintext);
    result2=aes128_encryption(plaintext);

} while(result1 == result2)
// Stop undervolting
```

```
bagger> sudo ./aes-encrypt 100000 -262
```

```
|
```

**It's not just  
crypto!**

```
struct _foo_t *foo = &arr[offset];
foo->foo = enclave_secret;
```

# Memory Corruption

foo = arr + offset  0x24

Creating enclave...

==== Victim Enclave ====

[pt.c] /dev/sgx-step opened!

Enclave Base: 0x7f001a000000

|

Voltage  
0.584V

Undervolting  
-235mV

**How difficult to  
fault is it?**

# Idle & crash voltage – Intel(R) Core i3-7100U CPU





# Idle, error & crash voltages – Intel Core i3-7100U

80



# Error & crash voltages – Intel Core i3-7100U



| Code Name     | Model No   | Frequency Tested |
|---------------|------------|------------------|
| Skylake       | i7-6700K   | 2.0GHz           |
| Kaby Lake     | i7-7700HQ  | 2.0GHz           |
|               | i3-7100U-A | 1.0GHz           |
|               | i3-7100U-B | 2.0GHz           |
|               | i3-7100U-C | 2.0GHz           |
| Kaby Lake-R   | i7-8650U-A | 1.9GHz           |
|               | i7-8650U-B | 1.9GHz           |
|               | i7-8550U   | 2.6GHz           |
| Coffee Lake-R | i9-9900U   | 3.6GHz           |

# Two Intel Core i3-7100U CPUs



# Two Intel Core i3-7100U CPUs



*All faults were injected at normal ambient temperature*

## More undervolting

- Idle cores
- More crashes!

## Less undervolting

- Cores maxed
- Fewer crashes



versatile\$

/bin/bash 74x32



versatile\$

/bin/bash 57x34

17.2%]  
13.2%]  
26.7%]  
15.5%]

**Faulting some  
random stuff**

```
/bin/bash 158x41
versatile$ ./operation -m 200 -s -177 -X 5 -i 200 -o P -c "cat backup/text_file.txt" -r 0 -t 8
Summary
-----
time (ms) interval:      200
Iterations:              200
Start Voltage:           -177
End Voltage:             0
Stop after x drops:      5
Voltage steps:           1
Threads:                 8
Operand1:                0x000000ffffffffffff
Operand2:                0x000000ffffffffffff
Operand1 is:              maximum
Operand2 is:              maximum
Operand1 min is:          0x0000000000000000
Operand2 min is:          0x0000000000000000
Calculation only:         No
Display calculation:     No
Verbose:                  Yes
Option:                   Command Line
Command Line options
> Command line:           cat backup/text_file.txt
> Result code:            0
```



cat

# Concurrent work

Kenjar, Zijo et al "VOLTpwn: Attacking x86 Processor Integrity from Software"  
In: USENIX Security Symposium 2020

Qiu, P at al. "Breaking SGX by software-controlled voltage-induced hardware faults."  
In AsianHOST 2019



- A new type of attack against Intel
- Breaks the integrity of SGX
- Within SGX
  - Retrieve keys using AES-NI
  - Retrieve RSA key
  - Induce memory corruption in bug free code
  - Make enclave write secrets to untrusted memory



This research is partially funded by the Research Fund KU Leuven, and by the Agency for Innovation and Entrepreneurship (Flanders). Jo Van Bulck is supported by a grant of the Research Foundation – Flanders (FWO). This research is partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1, EP/R008000/1, and by the European Union's Horizon 2020 research and innovation programme under grant agreements No. 779391 (FutureTPM) and No. 681402 (SOPHIA).



Thank you