A New Method for Identifying Systems Using Dynamic Rowhammer RAM
A group of researchers from the University of California in Davis has conducted a study analyzing the possibility of using the method of bits of the dynamic Rowhammer RAM to identify systems. Their findings reveal that the nature of the distortion arising as a result of an attack is unique for each copy of the DRAM chip and remains constant over time. Based on this, they have developed the Centauri technique, which can identify systems with an average accuracy of 99.91%.
In Centauri, the identification of the identifier alone can allow the execution of code with the rights of an unprivileged user for several seconds or minutes. The highest accuracy is achieved when the checking process lasts for about three minutes. However, by slightly reducing the accuracy (by 0.64), the identification can be carried out in just 9.92 seconds, resulting in a 95% decrease in overhead costs. The researchers tested their method using approximately 98 DRAM modules from two different manufacturers, each including sets of identical chips. Repeated experiments conducted over a period of 10 days showed no decrease in accuracy.
Rowhammer attacks are a method to distort the contents of individual memory bits by cyclically reading data from neighboring memory cells. As DRAM memory consists of a two-dimensional array of cells, each consisting of a capacitor and a transistor, continuous reading of the same memory area leads to voltage fluctuations and abnormalities, causing neighboring cells to experience a minor loss of charge. If the intensity of reading is high, a neighboring cell may lose a significant charge volume, and the subsequent regeneration cycle may not have enough time to restore its initial state, resulting in a change in the stored data value.
Due to the heterogeneous nature of the chip production process, each memory chip possesses a unique physical structure with acceptable deviations. These deviations lead to a unique distribution of the probability of Bita distortion caused by Rowhammer attacks in each memory module, which the creators of the Centauri method have utilized. The TRR (Target Row Refresh) mechanism implemented by memory manufacturers to prevent Rowhammer attacks by blocking cell distortions in neighboring lines has no impact on the accuracy of identification through Centauri.
The identification process consists of three stages: first, the Blacksmith method (a version of Rowhammer)