research-article

Public Access

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer

Authors:

Michael Fahr, Jr.,

Jacob Lichtinger,

Dana Dachman-Soled,

Alexander Nelson,

Arkady Yerukhimovich,

Daniel AponAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 979 - 993

https://doi.org/10.1145/3548606.3560673

Published: 07 November 2022 Publication History

Abstract

In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST Post Quantum Cryptography (PQC) standardization process.

The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM Key Generation (KeyGen) process. The Rowhammer side-channel is a hardware-based security exploit that allows flipping bits in DRAM by "hammering" rows of memory adjacent to some target-victim memory location by repeated memory accesses. Using Rowhammer, we induce the FrodoKEM software to output a higher-error Public Key (PK), (\matA, \matB = \matA \matS +\vec\widetildeE ), where the error \widetilde\vecE is modified by Rowhammer.

Then, we perform a decryption failure attack, using a variety of publicly-accessible supercomputing resources running on the order of only 200,000 core-hours. We delicately attenuate the decryption failure rate to ensure that the adversary's attack succeeds practically, but so honest users cannot easily detect the manipulation.

Achieving this public key "poisoning'' requires an extreme engineering effort, as FrodoKEM's KeyGen runs on the order of 8 milli seconds. (Prior Rowhammer-assisted attacks against cryptography require as long as 8 hours of persistent access.) In order to handle this real-world timing condition, we require a wide variety of prior and brand new, low-level engineering techniques, including e.g. memory massaging algorithms -- i.e. "Feng Shui'' -- and a precisely-targeted performance degradation attack on the extendable output function SHAKE. We explore the applicability of our techniques to other lattice-based KEMs in the NIST PQC Round 3 candidate-pool, e.g. Kyber, Saber, etc, as well as the difficulties that arise in the various settings. To conclude, we discuss various simple countermeasures to protect implementations against this, and similar, attacks.

References

[1]

National Security Agency. 2021. Frequently Asked Questions: Quantum Computing and Post-Quantum Cryptography. https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF

[2]

Gorjan Alagic, Daniel Apon, David Cooper, Quynh Dang, Thinh Dang, John Kelsey, Jacob Lichtinger, Carl Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, Daniel Smith-Tone, and Yi-Kai Liu. 2022. Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. Technical Report : NIST Internal Report (NISTIR) 8413. U.S. Department of Commerce, Washington, D.C. https://doi.org/10.6028/NIST.IR.8413

[3]

Erdem Alkim, Joppe W. Bos, Léo Ducas, Patrick Longa, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Chris Peikert, Ananth Raghunathan, Douglas Stebila, Karen Easterbrook, and LaMacchia Brian. 2022. FrodoKEM: Practical quantum-secure key encapsulation from generic lattices. https://frodokem.org/

[4]

Thomas Allan, Billy Bob Brumley, Katrina Falkner, Joop van de Pol, and Yuval Yarom. 2016. Amplifying Side Channels through Performance Degradation. In Proceedings of the 32nd Annual Conference on Computer Security Applications (Los Angeles, California, USA) (ACSAC '16). Association for Computing Machinery, New York, NY, USA, 422--435. https://doi.org/10.1145/2991079.2991084

Digital Library

[5]

Frank Arute, Kunal Arya, Ryan Babbush, Dave Bacon, Joseph C. Bardin, Rami Barends, Rupak Biswas, Sergio Boixo, Fernando G. S. L. Brandao, David A. Buell, Brian Burkett, Yu Chen, Zijun Chen, Ben Chiaro, Roberto Collins, William Courtney, Andrew Dunsworth, Edward Farhi, Brooks Foxen, Austin Fowler, Craig Gidney, Marissa Giustina, Rob Graff, Keith Guerin, Steve Habegger, Matthew P. Harrigan, Michael J. Hartmann, Alan Ho, Markus Hoffmann, Trent Huang, Travis S. Humble, Sergei V. Isakov, Evan Jeffrey, Zhang Jiang, Dvir Kafri, Kostyantyn Kechedzhi, Julian Kelly, Paul V. Klimov, Sergey Knysh, Alexander Korotkov, Fedor Kostritsa, David Landhuis, Mike Lindmark, Erik Lucero, Dmitry Lyakh, Salvatore Mandrà, Jarrod R. McClean, Matthew McEwen, Anthony Megrant, Xiao Mi, Kristel Michielsen, Masoud Mohseni, Josh Mutus, Ofer Naaman, Matthew Neeley, Charles Neill, Murphy Yuezhen Niu, Eric Ostby, Andre Petukhov, John C. Platt, Chris Quintana, Eleanor G. Rieffel, Pedram Roushan, Nicholas C. Rubin, Daniel Sank, Kevin J. Satzinger, Vadim Smelyanskiy, Kevin J. Sung, Matthew D. Trevithick, Amit Vainsencher, Benjamin Villalonga, Theodore White, Z. Jamie Yao, Ping Yeh, Adam Zalcman, Hartmut Neven, and John M. Martinis. 2019. Quantum supremacy using a programmable superconducting processor. Nature, Vol. 574, 7779 (2019), 505--510. https://doi.org/10.1038/s41586-019--1666--5

[6]

Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin. 2016. ANVIL: Software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Notices, Vol. 51, 4 (2016), 743--755.

Digital Library

[7]

Aurélie Bauer, Henri Gilbert, Guénaël Renault, and Mélissa Rossi. 2019. Assessment of the Key-Reuse Resilience of NewHope. In Topics in Cryptology -- CT-RSA 2019 (Lecture Notes in Computer Science, Vol. 11405), Mitsuru Matsui (Ed.). Springer, Heidelberg, Germany, San Francisco, CA, USA, 272--292. https://doi.org/10.1007/978--3-030--12612--4_14

[8]

Nina Bindel and John M. Schanck. 2020. Decryption Failure Is More Likely After Success. In Post-Quantum Cryptography - 11th International Conference, PQCrypto 2020, Jintai Ding and Jean-Pierre Tillich (Eds.). Springer, Heidelberg, Germany, Paris, France, 206--225. https://doi.org/10.1007/978--3-030--44223--1_12

[9]

Jonathan Bootle, Claire Delaplace, Thomas Espitau, Pierre-Alain Fouque, and Mehdi Tibouchi. 2018. LWE without modular reduction and improved side-channel attacks against BLISS. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 494--524.

Digital Library

[10]

Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In IEEE SP.

[11]

Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. $$CAn't$$ Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory. In 26th USENIX Security Symposium (USENIX Security 17). 117--130.

[12]

Shawn T Brown, Paola Buitrago, Edward Hanna, Sergiu Sanielevici, Robin Scibek, and Nicholas A Nystrom. 2021. Bridges-2: A Platform for Rapidly-Evolving and Data Intensive Research. In Practice and Experience in Advanced Research Computing. 1--4.

[13]

Claudio Canella, Michael Schwarz, Martin Haubenwallner, Martin Schwarzl, and Daniel Gruss. 2020. KASLR: Break it, fix it, repeat. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 481--493.

Digital Library

[14]

Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos. 2019. Exploiting correcting codes: On the effectiveness of ECC memory against Rowhammer attacks. In IEEE SP.

[15]

Dana Dachman-Soled, Léo Ducas, Huijing Gong, and Mélissa Rossi. 2020. LWE with Side Information: Attacks and Concrete Security Estimation. In Advances in Cryptology -- CRYPTO 2020, Part II (Lecture Notes in Computer Science, Vol. 12171), Daniele Micciancio and Thomas Ristenpart (Eds.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 329--358. https://doi.org/10.1007/978--3-030--56880--1_12

[16]

Jan-Pieter D'Anvers, Qian Guo, Thomas Johansson, Alexander Nilsson, Frederik Vercauteren, and Ingrid Verbauwhede. 2019. Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes. In PKC 2019: 22nd International Conference on Theory and Practice of Public Key Cryptography, Part II (Lecture Notes in Computer Science, Vol. 11443), Dongdai Lin and Kazue Sako (Eds.). Springer, Heidelberg, Germany, Beijing, China, 565--598. https://doi.org/10.1007/978--3-030--17259--6_19

[17]

Jan-Pieter D'Anvers, Mélissa Rossi, and Fernando Virdia. 2020. (One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes. In Advances in Cryptology -- EUROCRYPT 2020, Part III (Lecture Notes in Computer Science, Vol. 12107), Anne Canteaut and Yuval Ishai (Eds.). Springer, Heidelberg, Germany, Zagreb, Croatia, 3--33. https://doi.org/10.1007/978--3-030--45727--3_1

[18]

Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. 2021. SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript. In USENIX Security. Paper=https://comsec.ethz.ch/wp-content/files/smash_sec21.pdf URL=https://comsec.ethz.ch/research/dram/smash Pwnie Nomination for the Most Underhyped Research.

[19]

Jintai Ding, Saed Alsayigh, R V Saraswathy, Scott Fluhrer, and Xiaodong Lin. 2017. Leakage of signal function with reused keys in RLWE key exchange. In 2017 IEEE International Conference on Communications (ICC). 1--6. https://doi.org/10.1109/ICC.2017.7996806

[20]

Jintai Ding, Scott R. Fluhrer, and Saraswathy RV. 2018. Complete Attack on RLWE Key Exchange with Reused Keys, Without Signal Leakage. In ACISP 18: 23rd Australasian Conference on Information Security and Privacy (Lecture Notes in Computer Science, Vol. 10946), Willy Susilo and Guomin Yang (Eds.). Springer, Heidelberg, Germany, Wollongong, NSW, Australia, 467--486. https://doi.org/10.1007/978--3--319--93638--3_27

[21]

Scott Fluhrer. 2016. Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085. https://eprint.iacr.org/2016/085.

[22]

Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Grand pwning unit: Accelerating microarchitectural attacks with the GPU. In IEEE SP. 195--210.

[23]

Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2020. TRRespass: Exploiting the Many Sides of Target Row Refresh. In S&P. https://comsec.ethz.ch/wp-content/files/trrespass_sp20.pdf Best Paper Award, Pwnie Award for the Most Innovative Research, Honorable Mention in IEEE MICRO Top Picks.

[24]

Eiichiro Fujisaki and Tatsuaki Okamoto. 1999. Secure Integration of Asymmetric and Symmetric Encryption Schemes. In Advances in Cryptology -- CRYPTO'99 (Lecture Notes in Computer Science, Vol. 1666), Michael J. Wiener (Ed.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 537--554. https://doi.org/10.1007/3--540--48405--1_34

[25]

Bundesamt für Sicherheit in der Informationstechnik. 2022. BSI TR-02102--1: “Cryptographic Mechanisms: Recommendations and Key Lengths” Version: 2022--1. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102--1.pdf

[26]

Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU. In NDSS, Vol. 17. 26.

[27]

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. 2018. Another flip in the wall of Rowhammer defenses. In IEEE SP. 245--261.

[28]

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016b. Prefetch side-channel attacks: Bypassing SMAP and kernel ASLR. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 368--379.

Digital Library

[29]

Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2016a. Rowhammer.js: A remote software-induced fault attack in JavaScript. In DIMVA. 300--321.

[30]

Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. 2017. A Modular Analysis of the Fujisaki-Okamoto Transformation. In TCC 2017: 15th Theory of Cryptography Conference, Part I (Lecture Notes in Computer Science, Vol. 10677), Yael Kalai and Leonid Reyzin (Eds.). Springer, Heidelberg, Germany, Baltimore, MD, USA, 341--371. https://doi.org/10.1007/978--3--319--70500--2_12

[31]

James Howe, Ayesha Khalid, Marco Martinoli, Francesco Regazzoni, and Elisabeth Oswald. 2019. Fault attack countermeasures for error samplers in lattice-based cryptography. In 2019 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 1--5.

[32]

Saad Islam, Koksal Mus, Richa Singh, Patrick Schaumont, and Berk Sunar. 2022. Signature Correction Attack on Dilithium Signature Scheme. CoRR, Vol. abs/2203.00637 (2022). https://doi.org/10.48550/arXiv.2203.00637 showeprint[arXiv]2203.00637

[33]

Patrick Jattke, Victor van der Veen, Pietro Frigo, Stijn Gunter, and Kaveh Razavi. 2022. Blacksmith: Scalable Rowhammering in the Frequency Domain. In S&P. Paper=https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf URL=https://comsec.ethz.ch/research/dram/blacksmith

[34]

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA). 361--372. https://doi.org/10.1109/ISCA.2014.6853210

[35]

Daniel Kirkwood, Bradley C. Lackey, John McVey, Mark Motley, Jerome A. Solinas, and David Tuller. 2015. Failure is not an Option: Standardization Issues for Post-Quantum Key Agreement. https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session7-motley-mark.pdf.

[36]

Radhesh Krishnan Konoth, Marco Oliverio, Andrei Tatar, Dennis Andriesse, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi. 2018. $$ZebRAM$$: Comprehensive and Compatible Software Protection Against Rowhammer Attacks. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). 697--710.

[37]

Andrew Kwong, Daniel Genkin, Daniel Gruss, and Yuval Yarom. 2020. RAMBleed: Reading Bits in Memory Without Accessing Them. In 41st IEEE Symposium on Security and Privacy (S&P).

[38]

Richard Lindner and Chris Peikert. 2011. Better Key Sizes (and Attacks) for LWE-Based Encryption. In Topics in Cryptology -- CT-RSA 2011 (Lecture Notes in Computer Science, Vol. 6558), Aggelos Kiayias (Ed.). Springer, Heidelberg, Germany, San Francisco, CA, USA, 319--339. https://doi.org/10.1007/978--3--642--19074--2_21

[39]

Moritz Lipp, Michael Schwarz, Lukas Raab, Lukas Lamster, Misiker Tadesse Aga, Clémentine Maurice, and Daniel Gruss. 2020. Nethammer: Inducing rowhammer faults through network requests. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 710--719.

[40]

Michele Marazzi, Patrick Jattke, Flavien Solt, and Kaveh Razavi. 2022. ProTRR: Principled yet Optimal In-DRAM Target Row Refresh. In S&P. Paper=https://comsec.ethz.ch/wp-content/files/protrr_sp22.pdf URL=https://comsec.ethz.ch/research/dram/protrr Patent pending, ETH Spark Award Nomination.

[41]

Daniele Micciancio and Oded Regev. 2009. Lattice-based cryptography. In Post-quantum cryptography. Springer, 147--191.

[42]

Koksal Mus, Saad Islam, and Berk Sunar. 2020. QuantumHammer: A Practical Hybrid Attack on the LUOV Signature Scheme. In ACM CCS 2020: 27th Conference on Computer and Communications Security, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM Press, Virtual Event, USA, 1071--1084. https://doi.org/10.1145/3372297.3417272

Digital Library

[43]

Onur Mutlu and Jeremie S. Kim. 2020. RowHammer: A Retrospective. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 39, 8 (2020), 1555--1571. https://doi.org/10.1109/TCAD.2019.2915318

Digital Library

[44]

NIST. 2016. Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

[45]

National Institute of Standards and Technology (NIST). 2022a. Post-quantum cryptography - Round 3 submissions. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions

[46]

National Institute of Standards and Technology (NIST). 2022b. Post-quantum cryptography standardization. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization

[47]

Chris Peikert. 2016. A Decade of Lattice Cryptography. Foundations and Trends in Theoretical Computer Science, Vol. 10, 4 (2016), 283--424. https://doi.org/10.1561/0400000074

Digital Library

[48]

Peter Pessl, Leon Groot Bruinderink, and Yuval Yarom. 2017. To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1843--1855.

Digital Library

[49]

Ruth Pordes, Don Petravick, Bill Kramer, Doug Olson, Miron Livny, Alain Roy, Paul Avery, Kent Blackburn, Torre Wenaus, Frank Würthwein, et al. 2007 a. The open science grid. In Journal of Physics: Conference Series, Vol. 78. IOP Publishing, 012057.

[50]

Ruth Pordes, Don Petravick, Bill Kramer, Doug Olson, Miron Livny, Alain Roy, Paul Avery, Kent Blackburn, Torre Wenaus, Frank Würthwein, Ian Foster, Rob Gardner, Mike Wilde, Alan Blatecky, John McGee, and Rob Quick. 2007 b. The open science grid. In J. Phys. Conf. Ser. (78, Vol. 78). 012057. https://doi.org/10.1088/1742--6596/78/1/012057

[51]

Yue Qin, Chi Cheng, Xiaohan Zhang, Yanbin Pan, Lei Hu, and Jintai Ding. 2021. A Systematic Approach and Analysis of Key Mismatch Attacks on Lattice-Based NIST Candidate KEMs. In ASIACRYPT 2021, Tibouchi and H. Wang (Eds.). 92--121. https://doi.org/10.1007/978--3-030--92068--5_4

Digital Library

[52]

Prasanna Ravi, Mahabir Prasad Jhanwar, James Howe, Anupam Chattopadhyay, and Shivam Bhasin. 2018. Side-channel assisted existential forgery attack on Dilithium-a NIST PQC candidate. Cryptology ePrint Archive (2018).

[53]

Prasanna Ravi, Mahabir Prasad Jhanwar, James Howe, Anupam Chattopadhyay, and Shivam Bhasin. 2019. Exploiting determinism in lattice-based signatures: practical fault attacks on pqm4 implementations of NIST candidates. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 427--440.

Digital Library

[54]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security. 1--18.

[55]

Oded Regev. 2005. On lattices, learning with errors, random linear codes, and cryptography. In 37th Annual ACM Symposium on Theory of Computing, Harold N. Gabow and Ronald Fagin (Eds.). ACM Press, Baltimore, MA, USA, 84--93. https://doi.org/10.1145/1060590.1060603

Digital Library

[56]

Google Research. 2021. Half-Double: Next-Row-Over Assisted Rowhammer. https://github.com/google/hammer-kit/blob/main/20210525_half_double.pdf

[57]

Tsunekazu Saito, Keita Xagawa, and Takashi Yamakawa. 2018. Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model. In Advances in Cryptology -- EUROCRYPT 2018, Part III (Lecture Notes in Computer Science, Vol. 10822), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, Germany, Tel Aviv, Israel, 520--551. https://doi.org/10.1007/978--3--319--78372--7_17

[58]

Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM Rowhammer bug to gain kernel privileges. https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html.

[59]

Johanna Sepulveda, Andreas Zankl, and Oliver Mischke. 2017. Cache attacks and countermeasures for NTRUEncrypt on MPSoCs: post-quantum resistance for the IoT. In 2017 30th IEEE International System-on-Chip Conference (SOCC). IEEE, 120--125.

[60]

Igor Sfiligoi, Daniel C Bradley, Burt Holzman, Parag Mhashilkar, Sanjay Padhi, and Frank Wurthwein. 2009a. The pilot way to grid resources using glideinWMS. In 2009 WRI World congress on computer science and information engineering, Vol. 2. IEEE, 428--432.

[61]

Igor Sfiligoi, Daniel C Bradley, Burt Holzman, Parag Mhashilkar, Sanjay Padhi, and Frank Wurthwein. 2009b. The pilot way to grid resources using glideinWMS. In 2009 WRI World Congress on Computer Science and Information Engineering (2, Vol. 2). 428--432. https://doi.org/10.1109/CSIE.2009.950

Digital Library

[62]

Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE Symposium on Security and Privacy. IEEE, 574--588.

Digital Library

[63]

Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Throwhammer: Rowhammer Attacks over the Network and Defenses. In USENIX ATC. https://comsec.ethz.ch/wp-content/files/throwhammer_atc18.pdf Pwnie Award Nomination for the Most Innovative Research.

Digital Library

[64]

Mehdi Tibouchi and Alexandre Wallet. 2021. One bit is all it takes: a devastating timing attack on BLISS's non-constant time sign flips. Journal of Mathematical Cryptology, Vol. 15, 1 (2021), 131--142.

[65]

Youssef Tobah, Andrew Kwong, Ingab Kang, Daniel Genkin, and Kang G Shin. 2022. SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks. In 43rd IEEE Symposium on Security and Privacy (S&P).

[66]

Victor Van Der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer attacks on mobile platforms. In CCS. 1675--1689.

Digital Library

[67]

Ricardo Villanueva-Polanco. 2019. Cold Boot Attacks on Bliss. In International Conference on Cryptology and Information Security in Latin America. Springer, 40--61.

[68]

Yuan Xiao, Xiaokuan Zhang, Yinqian Zhang, and Radu Teodorescu. 2016. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In USENIX Security.

[69]

Yuval Yarom and Katrina Falkner. 2014. $$FLUSH RELOAD$$: A High Resolution, Low Noise, L3 Cache $$Side-Channel$$ Attack. In 23rd USENIX security symposium (USENIX security 14). 719--732. io

Cited By

Canpolat OYağlıkçı AOlgun AYuksel ITuğrul YKanellopoulos KErgin OMutlu O(2024)BreakHammer: Enhancing RowHammer Mitigations by Carefully Throttling Suspect Threads2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO61859.2024.00072(915-934)Online publication date: 2-Nov-2024
https://doi.org/10.1109/MICRO61859.2024.00072
Bostanci FYüksel IOlgun AKanellopoulos KTuğrul YYağliçi ASadrosadati MMutlu O(2024)CoMeT: Count-Min-Sketch-based Row Tracking to Mitigate RowHammer at Low Cost2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00050(593-612)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00050
Yağlıkçı ATuğrul YOliveira GYüksel İOlgun ALuo HMutlu O(2024)Spatial Variation-Aware Read Disturbance Defenses: Experimental Analysis of Real DRAM Chips and Implications on Future Solutions2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00048(560-577)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00048
Show More Cited By

Index Terms

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks

Recommendations

A Practical Key-Recovery Attack on LWE-Based Key-Encapsulation Mechanism Schemes Using Rowhammer
Applied Cryptography and Network Security
Abstract
Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Intel Corporation
NSF (National Science Foundation)
National Institute of Standards and Technology (NIST)
Air Force Office of Scientific Research (AFOSR)

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
624
Total Downloads

Downloads (Last 12 months)340
Downloads (Last 6 weeks)50

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Canpolat OYağlıkçı AOlgun AYuksel ITuğrul YKanellopoulos KErgin OMutlu O(2024)BreakHammer: Enhancing RowHammer Mitigations by Carefully Throttling Suspect Threads2024 57th IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO61859.2024.00072(915-934)Online publication date: 2-Nov-2024
https://doi.org/10.1109/MICRO61859.2024.00072
Bostanci FYüksel IOlgun AKanellopoulos KTuğrul YYağliçi ASadrosadati MMutlu O(2024)CoMeT: Count-Min-Sketch-based Row Tracking to Mitigate RowHammer at Low Cost2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00050(593-612)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00050
Yağlıkçı ATuğrul YOliveira GYüksel İOlgun ALuo HMutlu O(2024)Spatial Variation-Aware Read Disturbance Defenses: Experimental Analysis of Real DRAM Chips and Implications on Future Solutions2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00048(560-577)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00048
Olgun AOsseiran MYağlıkçı ATuğrul YLuo HRhyner SSalami BLuna JMutlu O(2024)Read Disturbance in High Bandwidth Memory: A Detailed Experimental Study on HBM2 DRAM Chips2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00022(75-89)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00022
Orosa LRührmair UGiray Yağlikçi ALuo HOlgun AJattke PPatel MKim JRazavi KMutlu O(2024)SpyHammer: Understanding and Exploiting RowHammer Under Fine-Grained Temperature VariationsIEEE Access10.1109/ACCESS.2024.340938912(80986-81003)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3409389
Juffinger JNeela SHeckel MSchwarz LAdamsky FGruss D(2024)Presshammer: Rowhammer and Rowpress Without Physical Address InformationDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_24(460-479)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_24
Hövelmanns KMajenz C(2024)A Note on Failing Gracefully: Completing the Picture for Explicitly Rejecting Fujisaki-Okamoto Transforms Using Worst-Case CorrectnessPost-Quantum Cryptography10.1007/978-3-031-62746-0_11(245-265)Online publication date: 11-Jun-2024
https://doi.org/10.1007/978-3-031-62746-0_11
Tol MIslam SAdiletta ASunar BZhang Z(2023)Don't Knock! Rowhammer at the Backdoor of DNN Models2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00023(109-122)Online publication date: Jul-2023
https://doi.org/10.1109/DSN58367.2023.00023
Olgun AOsseiran MYağlıkçı ATuğrul YLuo HRhyner SSalami BLuna JMutlu O(2023)An Experimental Analysis of RowHammer in HBM2 DRAM Chips2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S)10.1109/DSN-S58398.2023.00042(151-156)Online publication date: Jul-2023
https://doi.org/10.1109/DSN-S58398.2023.00042
Dachman-Soled DGong HHanson TKippen H(2023)Revisiting Security Estimation for LWE with Hints from a Geometric PerspectiveAdvances in Cryptology – CRYPTO 202310.1007/978-3-031-38554-4_24(748-781)Online publication date: 9-Aug-2023
https://doi.org/10.1007/978-3-031-38554-4_24

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten