Skip to main content

Newly Demoed JackHammer Cyberattack Uses FPGA-CPU Combo to Attack Memory

(Image credit: Dmitry Kalinovsky/Shutterstock)

There's a new hammer in town. On December 31, researchers detailed a cyberattack dubbed JackHammer, as spotted by ZDNet. Based on the Rowhammer attacks revealed in 2014, JackHammer uses a hybrid FPGA and CPU setup to conduct more efficient attacks on various forms of PC memory.

Unlike other branding applied to vulnerabilities, Rowhammer is actually pretty descriptive. The attack corrupts data stored in memory by repeatedly accessing one row of memory cells to build up enough charge to cause bit flips in adjacent rows. Rowhammer attacks were previously executed only via CPUs. But the rise of FPGAs led researchers at Intel, the Worcester Polytechnic Institute in the U.S. and the University of Lubeck in Germany to see if the hardware could make the attacks more effective. 

It turns out that it does. The researchers said that JackHammer attacks, which are effectively Rowhammer attacks conducted on FPGA-CPU setups, can be twice as fast as attacks conducted from CPUs only and can also cause four times as many bit flips.

That means the attacks conducted by the researchers were simultaneously more efficient and more effective. Combine that with the Rowhammer attacks' already wide reach--not even ECC memory is safe--and this could be a terrifying discovery.

Don't be surprised if other researchers start to wonder how FPGAs could improve existing attacks following JackHammer's revelation--or if those improvements become even more worrisome as FPGAs rise in popularity and performance.

  • jgraham11
    Wow, take a look at the original Row Hammer Attacks page 4. They ran the same disturbance attack on AMD and Intel systems but the Intel system sucked quite a bit more (by orders of magnitude):

    This table shows the number of bits flipped when they ran the flipping (disturbance) code:

    Bit-Flip-----Sandy Bridge---Ivy Bridge----Haswell----Piledriver

    ‘0’ ‘1’ -------7;992------------10;273------11;404---------47

    ‘1’ ‘0’--------8;125------------10;449------11;467---------12
    Reply
  • bit_user
    Couldn't you fix Row Hammer, at the silicon level? I'm not saying it's trivial, but maybe repeated reads could somehow trigger a self-refresh of a page.

    Anyway, these attacks require very low-level access, if you want to target a specific value, in memory. Otherwise, it seems to me that their primary purpose would just be to cause general havoc. And, if cloud operators are on their game, they could catch bad actors by correlating high incidents of ECC errors with the malicious code.
    Reply
  • Alexander Holland
    The original article author (or myself?) seem to have miss understood the jackhammer whitepaper. It's not about using FPGAs to enhance attacks but that FPGAs which contain a hard CPU themselves being susceptible to attacks. Interesting but today purely academic.
    Reply
  • bit_user
    Alexander Holland said:
    The original article author (or myself?) seem to have miss understood the jackhammer whitepaper. It's not about using FPGAs to enhance attacks but that FPGAs which contain a hard CPU themselves being susceptible to attacks. Interesting but today purely academic.
    No. Honestly, how do you even look at the paper and come away with that interpretation?

    From the abstract:
    After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. These heterogeneous FPGA-CPU architectures break common assumptions about isolation and security boundaries. Since the FPGA and CPU architectures share hardware resources, a new class of vulnerabilities requires us to reassess the security and dependability of these platforms.

    In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled on two proposed heterogeneous FPGA-CPU platforms by Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We show that while Intel PACs currently are immune to cache attacks from FPGA to CPU, the integrated platform is indeed vulnerable to Prime and Probe style attacks from the FPGA to the CPU’s last level cache. Further, we demonstrate JackHammer, a novel and efficient Rowhammer from the FPGA to the host’s main memory.
    Observations:
    It's quite clear that the focus of the PCIe-based "expansion card" setup was to attack the host.
    The "Arria 10 GX with an integrated FPGA-CPU platform" is referring to this: https://www.nextplatform.com/2018/05/24/a-peek-inside-that-intel-xeon-fpga-hybrid-chip/The last sentence further emphasizes that they're concerned about the host (i.e. multi-tenant cloud server).#2 is further reinforced by the part where they explain:
    The integrated Intel Arria 10 is based on a prototype E5- 2600v4 CPU with 12 physical cores. The prototype CPU has a Broadwell architecture in which the last level cache (LLC) is inclusive of the L1/L2 caches. The CPU package has an integrated Arria 10 GX 1150 FPGA running at 400 MHz.

    If you need further evidence, search for the text "Intel FPGA Platforms", where they include a detailed description of the hardware they're using.

    I'm aware that these FPGAs contain embedded ARM hard-cores, however ARM is only mentioned down in the references, whereas Xeon is mentioned throughout the paper.
    Reply