Researchers Develop Centauri: A Practical Rowhammer Fingerprinting Technique

Estimated read time 5 min read

Cybersecurity experts from UC Davis have developed Centauri, a novel Rowhammer fingerprinting technique that can build unique and stable fingerprints, even across devices with identical hardware and software configurations.

Fingerprinting: A New Threat Landscape

The Rowhammer technique is a hardware bug exploit that manipulates the physical memory of a device to gain unauthorized access. Now, UC Davis researchers have leveraged this technique to create device fingerprints, proving a significant advancement in cybersecurity threats.

Visualization of the Rowhammer bit flip distribution with a brighter
spot representing a higher bit flip probability
Visualization of the Rowhammer bit flip distribution with a brighter spot representing a higher bit flip probability | source

Stateless tracking, the method of constructing device fingerprints without storing any client-side state, is becoming increasingly prevalent.

A useful fingerprint for such tracking must be unique and stable. The Centauri approach leverages the physical attributes of a device’s hardware, which seldom change and hence provide this stability. It exploits bit flip distributions due to the Rowhammer technique to extract highly unique fingerprints, even among devices with identical configurations over a prolonged period.

Centauri: Combining Rowhammer with Fingerprinting

Centauri overcomes three main challenges to operationalize the fingerprinting process. Firstly, it accounts for the non-determinism of Rowhammer, which means hammering the same memory location doesn’t always flip the same bits. Centauri hammers the same locations multiple times to extract a probability distribution of bit flips as fingerprints. Then it compares the divergence of these distributions, enabling better re-identification of devices even where bit flip patterns vary.

Secondly, it tackles the constraints posed by the operating system’s memory allocation abstractions. These constraints limit access to contiguous physical memory and obscure information about their allocation on the DRAM. Centauri overcomes this by sampling enough 2 MB chunks to guarantee access to the same memory chunk for fingerprinting.

Lastly, Centauri addresses memory modules’ mitigations against Rowhammer, like Target Row Refresh (TRR). The technique systematically identifies effective patterns for at-scale fingerprinting using Rowhammer.

A New Milestone in Fingerprinting Accuracy

The researchers evaluated Centauri on a set of 98 DIMMs across 6 sets of identical DRAM modules from 2 major manufacturers. The results showed a fingerprint accuracy of 99.91%, a precision of 100%, and a recall of 97.06%.

Plot showing the variation in the accuracy, precision and recall of the
fingerprints extracted by Centauri on a set of 10 DIMMs over a period of 10
Plot showing the variation in the accuracy, precision and recall of the fingerprints extracted by Centauri on a set of 10 DIMMs over a period of 10 days | Source

Moreover, daily experiments over ten days yielded the same level of accuracy, demonstrating the high stability of Centauri’s fingerprints. The researchers also confirmed that Centauri could extract a fingerprint in as little as 9.92 seconds, reducing overhead by over 95.01% with just a 0.64% degradation in accuracy.

Impact on Cybersecurity

The ability to create unique and stable fingerprints of devices, even those with identical hardware and software configurations, could redefine the threat landscape in cybersecurity.

  1. Tracking and Surveillance: Centauri could be utilized for stealthy tracking and surveillance. For instance, state-sponsored actors might use it to monitor the activities of specific targets without their knowledge. Unlike cookie-based tracking, this method would be hard to detect and counter.
  2. Attribution of Cyber Attacks: On the positive side, this technology might aid in attributing cyberattacks to specific devices. By creating a unique fingerprint of a device, it could be easier to track the origin of an attack, helping in threat intelligence and investigation efforts.
  3. Privacy Concerns: However, there are significant privacy concerns. Unless properly regulated, misuse of this technology could lead to invasions of privacy on an unprecedented scale, given its potential to accurately and persistently identify and track devices over time.

Impact on Marketing

  1. Personalized Marketing: In marketing, understanding and reaching the target audience is crucial. With this technology, marketers could track user behavior with increased accuracy, leading to highly personalized marketing strategies. This level of personalization could potentially increase the effectiveness of marketing campaigns.
  2. Improved Analytics: The technology could provide better analytics for marketers, offering deeper insights into user behavior and preferences. It could help businesses understand their customers on a deeper level, leading to improved customer experience and potentially higher customer retention.
  3. Privacy Concerns and Regulatory Issues: Despite these advantages, the use of such technology in marketing could lead to serious privacy concerns and potential backlash from consumers and regulators. Marketers would need to tread carefully, ensuring transparency and compliance with data protection regulations like the GDPR.

Is Physical Access needed for this Attack?

The Centauri fingerprinting approach described in the paper does not require physical access to the target device. The fingerprinting process works by leveraging a hardware vulnerability known as Rowhammer. Rowhammer is a side-channel attack that involves repeatedly accessing (or “hammering”) a row of memory cells in a DRAM (Dynamic Random Access Memory) module, causing bit flips in adjacent rows due to electrical interference.

The approach involves capturing the patterns of these bit flips to create a unique fingerprint for each device. This process can be performed remotely if an attacker can execute code on the target machine. The attacker would need to have a level of system access that allows them to execute memory-intensive processes, but they do not necessarily need to have physical access or root (administrator) privileges.

Read the full paper here.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author