We describe several ways to reverse engineer Error-Correcting Codes (ECC) that are implemented in memory controllers. We will show a cold boot attack, and several fault injection methods, including one that involves syringe needles.
Error Correcting Codes (ECC) are a memory reliability mechanism that is able to correct and detect bit errors.
Because ECC can correct /some/ bits, ECC is viewed as a possible mitigation for Rowhammer (RH). But _How well does ECC really protect against Rowhammer?_ remains a question that is largely unanswered. This is because the details of ECC implementation are not publicly available. In this context, we aim our RE effort at ECC that is implemented in the memory controller of different CPUs.
In this talk we will show several methods to reverse engineer the ECC function on several server CPUs. We will describe several methods:
* _Fault injection based attacks_. Here we will show how to leverage RH induced bit flips, an [ad-hoc syringe needle probe](https://www.vusec.net/wp-content/uploads/2018/11/needle-injection-edit-768x952.png) and even the memory controller itself.
* _A cold-boot attack_. With a cold-boot attack we will show how to build a /memory dumper/ that supports ECC.
At the end of the talk, we will touch upon another _issue_ that we discovered with ECC. We will show how we combine this _issue_ with the knowledge extracted through RE and mount a Rowhammer attack. We do this in the presence of ECC memory.
I take things apart. Sometimes I put them back.