DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

TL;DR

This paper introduces DRAMA, a novel class of cross-CPU attacks exploiting undocumented DRAM address mappings to establish high-speed covert channels and side-channel attacks, even without shared memory or cache access.

Contribution

The paper presents two methods to reverse engineer DRAM address mappings and demonstrates new DRAMA attacks that exploit shared DRAM row buffers for high-speed covert channels and side-channel attacks.

Findings

Achieved a covert channel with up to 2 Mbps capacity.

Developed a side-channel attack for automatic memory access monitoring.

Enabled practical Rowhammer attacks on DDR4 using DRAM mapping insights.

Abstract

In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings. We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2 Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.