Skip to main content
SpringerLink
Log in

A High-Speed, Long-Distance and Wall-Penetrating Covert Channel Based on EM Emanations from DRAM Clock

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

An air-gapped computer is physically isolated from unsecured networks to guarantee effective protection against data exfiltration. Due to air gaps, unauthorized data transfer seems impossible over legitimate communication channels, but in reality many so-called physical covert channels can be constructed to allow data exfiltration across the air gaps. Most of such covert channels are very slow and often require certain strict conditions to work (e.g., no physical obstacles between the sender and the receiver). In this paper, we introduce a new through-wall physical covert channel named BitJabber that is extremely fast and has a long attacking distance. We show that this covert channel can be easily created by an unprivileged sender running on a victim’s computer. Specifically, the sender constructs the channel by using only memory accesses to modulate the electromagnetic (EM) signals generated by the DRAM clock. While possessing a very high bandwidth (up to 300,000 bps), this new covert channel is also very reliable (less than 1% error rate). More importantly, this covert channel can enable data exfiltration from an air-gapped computer enclosed in a room with thick walls up to 15 cm and the maximum attacking distance is more than 6 m.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Availability of Data and Material

The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.

Code Availability

N/A.

References

  1. Zhan Z, Zhang Z, Koutsoukos X (2020) Bitjabber: The world’s fastest electromagnetic covert channel. In: 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), IEEE

  2. Guri M, Monitz M, Mirski Y, Elovici Y (2015b) Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF ’15), pp 276–289

  3. Guri M, Zadov B, Elovici Y (2017b) Led-it-go: Leaking (a lot of) data from air-gapped computers via the (small) hard drive led. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’17), pp 161–184

  4. Lopes AC, Aranha DF (2017) Platform-agnostic low-intrusion optical data exfiltration. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp 474–480

  5. Loughry J, Umphress DA (2002) Information leakage from optical emanations. ACM Transactions on Information and System Security (TISSEC) 5(3):262–289

  6. Sepetnitsky V, Guri M, Elovici Y (2014) Exfiltration of information from air-gapped machines using monitor’s led indicator. In: 2014 IEEE Joint Intelligence and Security Informatics Conference, IEEE, pp 264–267

  7. Guri M, Daidakulov A, Elovici Y (2018a) Magneto: Covert channel between air-gapped systems and nearby smartphones via cpu-generated magnetic fields. arXiv preprint arXiv:180202317

  8. Guri M, Zadov B, Daidakulov A, Elovici Y (2018c) Odini: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. arXiv preprint arXiv:180202700

  9. Matyunin N, Szefer J, Biedermann S, Katzenbeisser S (2016) Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC ’16), pp 525–532

  10. Carrara B, Adams C (2014) On acoustic covert channels between air-gapped systems. In: International Symposium on Foundations and Practice of Security, Springer, pp 3–16

  11. Guri M, Solewicz Y, Daidakulov A, Elovici Y (2016c) Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. arXiv preprint arXiv:160605915

  12. Guri M, Solewicz Y, Daidakulov A, Elovici Y (2017a) Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (‘diskfiltration’). In: European Symposium on Research in Computer Security (ESORICS ’17), pp 98–115

  13. Hanspach M, Goetz M (2013) On covert acoustical mesh networks in air. J Commun 8(11)

  14. Guri M, Kedma G, Kachlon A, Elovici Y (2014) Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE ’14), IEEE, pp 58–67

  15. Guri M, Kachlon A, Hasson O, Kedma G, Mirsky Y, Elovici Y (2015a) Gsmem: Data exfiltration from air-gapped computers over gsm frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), pp 849–864

  16. Guri M, Monitz M, Elovici Y (2016b) Usbee: air-gap covert-channel via electromagnetic emission from usb. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST ’16), pp 264–268

  17. Zajić A, Prvulovic M (2014) Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans Electromagn Compat 56(4):885–893

    Article  Google Scholar 

  18. Callan R, Zajić A, Prvulovic M (2015) Fase: finding amplitude-modulated side-channel emanations. In: 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA ’15), pp 592–603

  19. Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615

    Article  Google Scholar 

  20. Szefer J (2019) Survey of microarchitectural side and covert channels, attacks, and defenses. Journal of Hardware and Systems Security 3(3):219–234

    Article  Google Scholar 

  21. Masti RJ, Rai D, Ranganathan A, Müller C, Thiele L, Capkun S (2015) Thermal covert channels on multi-core platforms. In: 24th USENIX Security Symposium (USENIX Security 15), pp 865–880

  22. Maurice C, Neumann C, Heen O, Francillon A (2015) C5: cross-cores cache covert channel. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’15), pp 46–64

  23. Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on Computer and communications security (CCS ’09), ACM, pp 199–212

  24. Sullivan D, Arias O, Meade T, Jin Y (2018) Microarchitectural minefields: 4k-aliasing covert channel and multi-tenant detection in iaas clouds. In: NDSS ’18

  25. Wang Z, Lee RB (2006) Covert and side channels due to processor architecture. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC ’06), IEEE, pp 473–482

  26. Wu Z, Xu Z, Wang H (2012) Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pp 159–173

  27. Xu Y, Bailey M, Jahanian F, Joshi K, Hiltunen M, Schlichting R (2011) An exploration of l2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM workshop on Cloud computing security workshop (CCSW ’11), pp 29–40

  28. Davidov M, Oldenburg B (2020) Tempesthome - finding radio frequency side channels. Tech. rep., Duo, URL https://duo.com/labs/research/finding-radio-sidechannels

  29. Guri M (2020) Power-supplay: Leaking data from air-gapped systems by turning the power-supplies into speakers. arXiv preprint arXiv:200500395

  30. Zhou Z, Zhang W, Yang Z, Yu N (2017) Exfiltration of data from air-gapped networks via unmodulated led status indicators. arXiv preprint arXiv:171103235

  31. Guri M, Hasson O, Kedma G, Elovici Y (2016a) An optical covert-channel to leak data through an air-gap. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST ’16), pp 642–649

  32. Guri M, Bykhovsky D, Elovici Y (2019) Brightness: Leaking sensitive data from air-gapped workstations via screen brightness. In: 2019 12th CMI Conference on Cybersecurity and Privacy (CMI), IEEE, pp 1–6

  33. Guri M (2019) Hotspot: Crossing the air-gap between isolated pcs and nearby smartphones using temperature. In: 2019 European Intelligence and Security Informatics Conference (EISIC), IEEE, pp 94–100

  34. Guri M, Zadov B, Bykhovsky D, Elovici Y (2018b) Powerhammer: Exfiltrating data from air-gapped computers through power lines. arXiv preprint arXiv:180404014

  35. Nassi B, Pirutin Y, Shamir A, Elovici Y, Zadov B (2020) Lamphone: Real-time passive sound recovery from light bulb vibrations. Cryptology ePrint Archive

  36. Kwong A, Xu W, Fu K (2019) Hard drive of hearing: Disks that eavesdrop with a synthesized microphone. In: 2019 IEEE symposium on security and privacy (SP), IEEE, pp 905–919

  37. Sehatbakhsh N, Yilmaz BB, Zajic A, Prvulovic M (2020) A new side-channel vulnerability on modern computers by exploiting electromagnetic emanations from the power management unit. In: 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), IEEE, pp 123–138

  38. Shen C, Liu T, Huang J, Tan R (2021) When lora meets emr: Electromagnetic covert channels can be super resilient. In: 2021 2021 IEEE Symposium on Security and Privacy (SP), IEEE Computer Society, Los Alamitos, CA, USA, pp 1304–1317. 10.1109/SP40001.2021.00031, URL https://doi.ieeecomputersociety.org/10.1109/SP40001.2021.00031

  39. Ge Q, Yarom Y, Cock D, Heiser G (2018) A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J Cryptogr Eng 8(1):1–27

    Article  Google Scholar 

  40. Departments, agencies of the Federal Government (2019) Code of federal regulations. URL https://www.ecfr.gov/cgi-bin/text-idx?SID=8c3c331bc40fd1a017dbf9917665f6c6&mc=true&node=pt47.1.15&rgn=div5

  41. Zhang Z, Zhan Z, Balasubramanian D, Li B, Volgyesi P, Kousoukos X (2020) Leveraging em side-channel information to detect rowhammer attacks. In: 2020 IEEE Symposium on Security and Privacy (S&P ’20), pp 729–746

  42. Hassan M, Kaushik AM, Patel H (2015) Reverse-engineering embedded memory controllers through latency-based analysis. In: 21st IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS ’15), pp 297–306

  43. Pessl P, Gruss D, Maurice C, Schwarz M, Mangard S (2016) Drama: Exploiting dram addressing for cross-cpu attacks. In: 25th USENIX Security Symposium (USENIX Security 16), pp 565–581

  44. Xiao Y, Zhang X, Zhang Y, Teodorescu R (2016) One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In: 25th USENIX Security Symposium (USENIX Security 16), pp 19–35

  45. Aweke ZB, Yitbarek SF, Qiao R, Das R, Hicks M, Oren Y, Austin T (2016) Anvil: Software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Not 51(4):743–755

    Article  Google Scholar 

  46. Yağlikçi AG, Patel M, Kim JS, Azizi R, Olgun A, Orosa L, Hassan H, Park J, Kanellopoulos K, Shahroodi T, et al. (2021) Blockhammer: Preventing rowhammer at low cost by blacklisting rapidly-accessed dram rows. In: 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), IEEE, pp 345–358

Download references

Funding

This work is supported in part by the National Science Foundation (CNS-1739328, CNS-2147217).

Author information

Authors and Affiliations

  1. Department of Electrical & Computer Engineering, Vanderbilt University, Nashville, 37235, TN, USA

    Zihao Zhan

  2. School of Computing, Clemson University, Clemson, 29634, SC, USA

    Zhenkai Zhang

  3. Department of Computer Science, Vanderbilt University, Nashville, 37235, TN, USA

    Xenofon Koutsoukos

Authors
  1. Zihao Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhenkai Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xenofon Koutsoukos
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

N/A.

Corresponding author

Correspondence to Zihao Zhan.

Ethics declarations

Ethics Approval

N/A.

Consent to Participate

All the authors have approved.

Consent for Publication

All the authors have approved.

Competing Interests

Yier Jin.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This is an extension to our previous work [1]

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhan, Z., Zhang, Z. & Koutsoukos, X. A High-Speed, Long-Distance and Wall-Penetrating Covert Channel Based on EM Emanations from DRAM Clock. J Hardw Syst Secur 6, 47–65 (2022). https://doi.org/10.1007/s41635-022-00128-6

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-022-00128-6

Keywords

Search

Navigation