RAM-ramming Rowhammer is back – to uniquely fingerprint devices

Boffins astatine nan University of California, Davis person devised a purportedly applicable measurement to use a representation maltreatment method called Rowhammer to build unique, unchangeable instrumentality fingerprints.

UC Davis researchers Hari Venugopalan, Kaustav Goswami, Zainul Abi Din, Jason Lowe-Power, Samuel King, and Zubair Shafiq person recovered they tin usage Rowhammer to create instrumentality fingerprints successful a little magnitude of clip that are unsocial and unchanging, moreover erstwhile nan devices travel from nan aforesaid maker, pinch identical hardware and package configurations.

They telephone their fingerprinting method Centauri.

Device fingerprinting mostly involves cataloging a device's package and hardware characteristics. Each of these characteristics (e.g. surface solution aliases manufacturer) is said to correspond 1 spot of entropy. With capable bits of entropy, you get a worth that's highly apt to beryllium unique among a circumstantial group and frankincense functions arsenic a unsocial identifier.

And this, we're told, tin beryllium extended to memory: Rowhammer-style probing tin uncover characteristics of RAM that tin beryllium utilized to fingerprint hardware. The cardinal point to understand present is that erstwhile performing Rowhammer-like attacks connected memory, nan measurement nan RAM reacts and nan distribution of bits that flip is unsocial to each computer's memory, and that tin beryllium utilized to fingerprint nan machine.

"Our information of Centauri connected 98 DIMMs crossed six sets of identical DRAM modules from 2 manufacturers showed that it tin extract precocious entropy and unchangeable fingerprints pinch an wide accuracy of 99.91 percent while being robust and efficient," they claimed [PDF].

Their approach, they say, is perchance useful for fraud detection. However, they admit nan strategy does person immoderate flaws – it could clang fingerprinted devices aliases deterioration retired their representation modules for example.

History lesson

First proposed successful 2014, Rowhammer is simply a measurement to induce representation errors successful modern DRAM chips by many times "hammering" rows of representation cells pinch a burst of publication aliases constitute operations.

Doing truthful tin flip bits – turning a capacitor connected aliases disconnected – successful a peculiar representation reside by many times accessing adjacent representation addresses. Essentially, nan method creates electrical interference betwixt rows of representation cells that leads to representation corruption.

Rowhammer is mostly not a applicable onslaught erstwhile nan discourse involves moving arbitrary codification connected nan victim's device. If that's nan threat scenario, location are easier options to hijack aliases interfere pinch a machine erstwhile you're already moving your ain arbitrary codification connected it.

But it has elicited immoderate interest arsenic a measurement to return over a victim's virtual instrumentality successful a unreality environment, moreover pinch a representation defense called Target Row Refresh (TRR), via an onslaught called Blacksmith. Rowhammer has besides been utilized to create a not peculiarly speedy browser-based onslaught called Smash.

Browser-based fingerprinting is already utilized by more than a 4th of websites, according to IBM Research.

The research

Centauri doesn't measurement attributes of this sort. Rather it looks astatine contiguous 2MB chunks of representation addresses for a unsocial group of flipped bits erstwhile a Rowhammer onslaught takes place. The distribution of those flipped bits thief fingerprint nan device.

The machine scientists overcame a number of challenges to make their attack work. They had to fig retired really to grip spot flips being non-deterministic (unpredictable) crossed representation chunks, really to woody pinch representation allocation constraints to guarantee they could entree nan aforesaid chunks of representation repeatedly, and really to instrumentality established techniques for bypassing Rowhammer representation defenses (TRR).

Centauri is nan first method to show nan extraction of unsocial and unchangeable fingerprints connected nan largest standard utilizing Rowhammer

"Centauri is nan first method to show nan extraction of unsocial and unchangeable fingerprints connected nan largest standard utilizing Rowhammer while overcoming applicable limitations enforced by nan operating strategy and by Rowhammer mitigations specified arsenic TRR," they explain.

Centauri arsenic prototyped involves moving autochthonal codification connected nan user's desktop, but nan researchers judge it tin beryllium adapted to tally from a web app successful a browser. A fewer other steps would beryllium required: those trying to grounds representation fingerprints would person to infer nan user's microarchitecture utilizing Rowhammer.js and usage nan Smash onslaught to create nan basal patterns to trigger spot flips. After that, Centauri could beryllium applied.

The native-code onslaught involves 3 phases: a templating phase, successful which representation is probed pinch nan Blacksmith fuzzer to place spot flip patterns that tin beryllium utilized to evade TRR; a hammering phase, successful which bits are flipped; and a matching phase, successful which nan fingerprints extracted are compared pinch reference information to create a probability distribution for each capacitor to flip wrong a representation chunk.

Based connected nan study that nan distribution of spot flips successful a 2MB chunk of representation is some highly unsocial and consistent, nan researchers created their fingerprint from these distributions.

"From nan accusation recorded successful nan hammering phase, we place nan comparative positions and counts of nan capacitors that flipped wrong nan contiguous 2MB chunk (indexed from 0 to 1,048,576 successful lawsuit of 1Rx8 DIMMs)," nan boffins explain. "We past usage these counts to create an empirical probability distribution for each capacitor to flip wrong nan chunk."

• When nan world ends, each that will beryllium near are cockroaches and caller Rowhammer attacks: RAM defenses surgery again
• Is it still imaginable to tally malware successful a browser utilizing JavaScript and Rowhammer? Yes, yes it is (slowly)
• Complexity has surgery machine security, says world who helped spot Meltdown and Spectre flaws
• Rowhammer rides again arsenic FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc

The researchers declare Centauri tin execute accuracy of 99.91 percent, though that takes astir 3 minutes. An expedited fingerprint is imaginable astatine nan disbursal of immoderate accuracy.

"Centauri is capable to extract a fingerprint successful arsenic small arsenic 9.92 seconds, reducing nan overhead by much than 95.01 percent while degrading accuracy by conscionable 0.64," they authorities successful their paper.

One imaginable usage of this benignant of fingerprinting is fraud discovery – eg: spotting bots. A machine that attempts to dress to beryllium aggregate machines would beryllium revealed by its unsocial fingerprint. But there's a catch.

"Centauri’s committedness successful detecting fraudsters comes pinch a non-zero consequence to benign users," nan researchers admit. "While triggering spot flips to extract fingerprints, Centauri could accidentally clang a user’s instrumentality by flipping a delicate spot reserved for nan OS. In our experience, however, we spot that specified occurrences are highly rare."

To debar this, nan boffins propose having operating strategy vendors guarantee that representation allocated to nan operating strategy isn't physically adjacent to that reserved for different applications.

"Another consequence presented by Centauri is that it could deterioration retired representation modules if it is utilized to perpetually trigger spot flips for fingerprinting," they explain.

"Centauri’s attack of triggering spot flips pinch less accesses to aggressors helps mitigate this concern. Such concerns tin besides beryllium mitigated by only employing different fingerprinting techniques for nan communal cases and sparingly employing Centauri to only grip nan captious cases." ®