



## JackHammer: Efficient Rowhammer on **Heterogeneous FPGA-CPU Platforms**

Zane Weissman, Thore Tiemann, Daniel Moghimi **Advisors: Berk Sunar, Thomas Eisenbarth** 



## UNIVERSITÄT ZU LÜBECK



The blue line in this figure is the distribution of CPU memory access latency when accessing cache lines recently written by the FPGA; a typical distribution is shown in black. Our measurements show that cache lines written by the FPGA are placed in the last-level cache of its host CPU.



We constructed a covert channel with the FPGA as the sender and a cooperative CPU program as receiver. The FPGA sends binary messages by writing to a cache line when transmitting a 1 and staying quiet otherwise. The receiver continuously probes a the cache set to detect access latency fluctuations to receive the messages. An example decoding of the latency measurements is shown in the figure above. While using heavily redundant encoding, we still achieve a **throughput of 94.98 kBit/s**.

## References

∎┽┽┥╔

- Weissman et al., JackHammer. Available on arxiv.org
- Acceleration Stack for Intel® Xeon® CPU with FPGAs Core Cache Interface (CCI-P) Reference Manual
- Special thanks to Intel's Evan Custodio, Alpa Trivedi, and Sayak Ray for their guidance and support