If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently, a group of researchers from the University of California at Davis discussed the possibility of using Rowhammer (the DRAM bit corruption method), to generate unique fingerprints.
During their analysis they mention that realized that the nature of the distortions resulting from the rowhammer attack is unique for each instance of the DRAM chip and does not change over time. As a result, the Centauri technique was developed, which allows identifying systems with an average precision of 99,91%.
To generate an identifier in Centauri, just run the code for a few seconds or minutes. At the cost of a slight decrease in accuracy (by 0,64), identification can be performed with a 95% reduction in around 9.92 seconds. The highest accuracy is achieved when checked for about three minutes.
Identification is done in three stages:
- Using the Blacksmith method (RowHammer variant) to determine the protection strategy (TRR) used in the chip against distortion of memory cells
- Code execution leading to distortions
- Determination of the relative position and number of capacitors that have changed the value of the charge.
The identifier is formed on the basis of constructing an empirical distribution of the probability of changing the charge of the capacitors in a 2-megabyte block of memory.
For those of you who are unaware of RowHammer class attacks, you should know that they allow you to distort the content of individual bits of memory by cyclically reading data from neighboring memory cells.
“Centauri is the first technique to demonstrate the extraction of unique and stable fingerprints on the largest scale using Rowhammer while overcoming the practical limitations imposed by the operating system and by Rowhammer mitigations like TRR”
Since DRAM is a two-dimensional array of cells, each consisting of a capacitor and a transistor, continuously reading the same area of memory results in voltage fluctuations and anomalies that cause a slight loss of charge. in neighboring cells. If the reading intensity is high, then the neighboring cell may lose a sufficiently large amount of charge and the next regeneration cycle will not have time to restore its original state, which will cause a change in the value of the data stored in the cell. .
The chip manufacturing process is heterogeneous, so each memory chip is unique in its physical structure due to the tolerances that occur. Such deviations lead to the fact that the probability distribution of the bit distortion caused by the Rowhammer attack is also unique for each manufactured memory module, which is what the creators of the Centauri method took advantage of.
The RRT mechanism (Target Row Refresh) used by memory manufacturers, which protects against Rowhammer attacks by blocking the distortion of cells in adjacent rows, it does not affect the accuracy of the identification by the Centauri method.
On the practical side, the method can be used, for example, to detect equipment substitution or to identify systems in which a computer pretends to be several different devices. At the same time, the method is unlikely to go beyond the scope of academic research, since when it is used, increased wear on memory chips is observed, and software failures may occur due to distortions in the contents of the memory chips. cells.
It is not excluded that the method can be adapted to work in a browser to identify website visitors, using as a base a pre-made implementation of Rowhammer in JavaScript.
The method has been tested on about 98 DRAM modules (6 identical chipsets from two manufacturers). Repeated experiments performed within 10 days did not reveal a decrease in identification accuracy.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.