Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Remote Attestation of Microarchitectural Attacks: The Case of Rowhammer

Martin Herrmann, Oussama Draissi, Christian Niesler, Ahmad-Reza Sadeghi, Lucas Davi

Abstract

Microarchitectural vulnerabilities increasingly undermine the assumption that hardware can be treated as a reliable root of trust. Prevention mechanisms often lag behind evolving attack techniques, leaving deployed systems unable to assume continued trustworthiness. We propose a shift from prevention to detection through microarchitectural-aware remote attestation. As a first instantiation of this idea, we present HammerWatch, a Rowhammer-aware remote attestation protocol that enables an external verifier to assess whether a system exhibits hardware-induced disturbance behavior. HammerWatch leverages memory-level evidence available on commodity platforms, specifically Machine-Check Exceptions (MCEs) from ECC DRAM and counter-based indicators from Per-Row Activation Counting (PRAC), and protects these measurements against kernel-level adversaries using TPM-anchored hash chains. We implement HammerWatch on commodity hardware and evaluate it on 20000 simulated benign and malicious access patterns. Our results show that the verifier reliably distinguishes Rowhammer-like behavior from benign operation under conservative heuristics, demonstrating that detection-oriented attestation is feasible and can complement incomplete prevention mechanisms

Towards Remote Attestation of Microarchitectural Attacks: The Case of Rowhammer

Abstract

Microarchitectural vulnerabilities increasingly undermine the assumption that hardware can be treated as a reliable root of trust. Prevention mechanisms often lag behind evolving attack techniques, leaving deployed systems unable to assume continued trustworthiness. We propose a shift from prevention to detection through microarchitectural-aware remote attestation. As a first instantiation of this idea, we present HammerWatch, a Rowhammer-aware remote attestation protocol that enables an external verifier to assess whether a system exhibits hardware-induced disturbance behavior. HammerWatch leverages memory-level evidence available on commodity platforms, specifically Machine-Check Exceptions (MCEs) from ECC DRAM and counter-based indicators from Per-Row Activation Counting (PRAC), and protects these measurements against kernel-level adversaries using TPM-anchored hash chains. We implement HammerWatch on commodity hardware and evaluate it on 20000 simulated benign and malicious access patterns. Our results show that the verifier reliably distinguishes Rowhammer-like behavior from benign operation under conservative heuristics, demonstrating that detection-oriented attestation is feasible and can complement incomplete prevention mechanisms
Paper Structure (40 sections, 1 equation, 4 figures, 4 tables)

This paper contains 40 sections, 1 equation, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Rowhammer.
  4. Error Correcting Code (ECC) and Machine-Check Exceptions (MCE).
  5. Per-Row Activation Counting (PRAC).
  6. Remote Attestation (RA).
  7. Problem Statement
  8. Threat Model
  9. Design Overview
  10. Measurements for Rowhammer Detection.
  11. Measurement Protection - Integrity and Authenticity
  12. Availability and Confidentiality
  13. TOCTTOU Attack Prevention.
  14. Remote Attestation Protocol.
  15. Evidence Evaluation
  16. ...and 25 more sections

Figures (4)

  • Figure 1: Conceptual RA challenge-response protocol: The verifier issues a nonce with the attestation request. The prover responds with encrypted measurements, the nonce, and the corresponding signature. The verifier checks these elements to determine whether the prover is compromised.
  • Figure 2: Attestation Request Processing: Flow describing how the prover processes an attestation request in the implemented attestation protocol.
  • Figure 3: Attestation Response Processing: Detailed flow of how the verifier processes an attestation response in the implemented attestation protocol. Here, $t_R$ denotes the time of receiving the attestation response, $t_S$ the time of sending the attestation request, and $t_T$ the timeout threshold. $PCR_{Calc}$ refers to the recalculated PCR value, and $PCR_{Rec}$ refers to the PCR value received in the attestation response.
  • Figure 4: Overview of the HammerWatch architecture.