如果你有内存测试和内存地址Decode这方面的问题,可以私信我,我们一起进步!
一、百度安全实验室最新的研究成果
参考:intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping - 第七子007 - 博客园
最快69秒逆向DRAM地址映射,百度设计的这款逆向工具如何做到快速可靠? - 腾讯云开发者社区-腾讯云
row hammer,理论上很完美,实际操作的时候会面临很尴尬的问题:内存存储数据最小的单位是cell(就是个电容,充电是1,放电是0),无数个横着的cell组成row,无数个竖着的cell组成colume;数个row和colume组成bank,多个bank组成chip,然后是rank,接着是dimm、channel,总的逻辑包含顺序是:channel->dimm->rank->chip->bak->row/colume->cell;怎么把物理地址映射到具体的cell了?换句话说:比如知道了某个能提权数据位的虚拟地址,linux和windwos都能调用系统API查找到相应的物理地址,又怎么根据物理地址映射到bank/row/colume了? 否则怎么精准hammer?Intel 并未公开映射算法,怎么通过一些逆向的方式、方法猜测出物理地址到dram 的address mapping了?
通过DRAMDig测试的结果如下,由此可见:不同cpu型号、不同内存大小,对应不同的row、colume、bank function,情况较为复杂;
二、一种比较传统的办法
参考:http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html
Now I'll discuss how these CPUs' memory controllers map physical addresses to locations in DRAM -- specifically, to row, bank and column numbers in DRAM modules. Let's call this the DRAM address mapping. I'll use one test machine as a case study.
Motivation: the rowhammer bug
I am interested in the DRAM address mapping because it is relevant to the "rowhammer" bug.
Rowhammer is a problem with some DRAM modules whereby certain pessimal memory access patterns can cause memory corruption. In these DRAMs, repeatedly activating a row of memory (termed "row hammering") can p