FAULT+PROBE: A Generic Rowhammer-based Bit Recovery Attack

TL;DR

The paper demonstrates that Rowhammer fault injections can leak secret information via observable behavioral channels, even in the presence of verify-after-sign defenses. It introduces Fault+$Probe, a generic end-to-end technique that combines offline memory profiling to locate reproducible bit flips with an online attack that uses Rowhammer to probe secret bits through observable feedback, guided by Statistical Fault Analysis. The authors implement an end-to-end attack against wolfSSL’s TLS 1.3 handshake to recover a 256-bit ECDSA private key at an average rate of 22 bits/hour with 100% success, and they show the approach works across other libraries and DRAM modules. The work highlights the need for defenses that address observable hardware-induced side channels, not just fault-detection in cryptographic protocols.

Abstract

Rowhammer is a security vulnerability that allows unauthorized attackers to induce errors within DRAM cells. To prevent fault injections from escalating to successful attacks, a widely accepted mitigation is implementing fault checks on instructions and data. We challenge the validity of this assumption by examining the impact of the fault on the victim's functionality. Specifically, we illustrate that an attacker can construct a profile of the victim's memory based on the directional patterns of bit flips. This profile is then utilized to identify the most susceptible bit locations within DRAM rows. These locations are then subsequently leveraged during an online attack phase with side information observed from the change in the victim's behavior to deduce sensitive bit values. Consequently, the primary objective of this study is to utilize Rowhammer as a probe, shifting the emphasis away from the victim's memory integrity and toward statistical fault analysis (SFA) based on the victim's operational behavior. We show FAULT+PROBE may be used to circumvent the verify-after-sign fault check mechanism, which is designed to prevent the generation of erroneous signatures that leak sensitive information. It does so by injecting directional faults into key positions identified during a memory profiling stage. The attacker observes the signature generation rate and decodes the secret bit value accordingly. This circumvention is enabled by an observable channel in the victim. FAULT+PROBE is not limited to signing victims and can be used to probe secret bits on arbitrary systems where an observable channel is present that leaks the result of the fault injection attempt. To demonstrate the attack, we target the fault-protected ECDSA in wolfSSL's implementation of the TLS 1.3 handshake. We recover 256-bit session keys with an average recovery rate of 22 key bits/hour and a 100% success rate.

Figures (9)

• Figure 1: Different Rowhammer hammering configurations
• Figure 2: Fault$+$Probe Attack overview. The attack starts by hammering adjacent rows for the offline memory profiling phase. The most sensitive bit offsets are profiled. The victim process is located on the profiled row. The process is run and hammered during the online attack phase a sufficient number of times. The value of the targeted offset is found by comparing the results from the offline memory profiling and online attack phases.
• Figure 3: Optimal configuration search for the most number of bit flips.
• Figure 4: The variance and mean of bit flip rates for the target offset and other offsets in a single page for an increasing number of iterations. The separation between the target and other offsets allows us to distinguish the two based on the observed rate easily.
• Figure 5: Location and direction of bit flip on different pages. (a) and (b) are examples of reliable pages, (c) and (d) are examples of unstable and unusable pages, respectively.