Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Показать описание

by Mark Seaborn, Halvar Flake

"Rowhammer" is a problem with DRAM in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. While the industry has known about the problem for a while and has started mitigating the problem in newer hardware, it was rarely mentioned in public until the publication of Yoongu Kim et al's paper in the summer of 2014 which included hard data about the prevalence of the problem. In spite of the paper's speculations about the exploitability of the issue, most people still classified rowhammer as only a reliability issue - the probabilistic aspect of the problem seems to have made people think exploitability would be impractical.

We have shown that rowhammer is practically exploitable in real-world scenarios - both in-browser through NaCl, and outside of the browser to escalate to kernel privileges. The probabilistic aspect can be effectively tamed so that the problem can be reliably exploited.

Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue.

We will discuss the details of our two exploits cause and use bit flips, and how the rowhammer problem can be mitigated. We will explore whether it is possible to cause row hammering using normal cached memory accesses.

Рекомендации по теме

Комментарии

Thanks for putting together the presentation, interesting stuff.

mikehunt

where can I get the powerpoint? the one online is slightly different?

jimmy

will the xbox one be vulnerable to row hammer and would a magnet near ram memory have and effect?

DonaldSleightholme

"A fault in many DRAM modules, from 2010 onwards"

No, actually, it's a fault in DRAM since.... DRAM. Part of that whole "D" letter.

Edit:
I'm realizing now that the 2010 date is about the vulnerability awareness, not the physics. The physical situation that allows for rowhammer scenarios has been around since DRAM has existed. That's part of why ECC exists and refresh limits are specified. The density of contemporary DRAM, however, does make the issue more prevalent, so something that needs to be addressed.

JustAnotherAlchemist

Look ninja(twitch steamer) in blackhat

mdrubayet

Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Black Hat USA 2015 - Exploiting The DRAM Rowhammer Bug To Gain Kernel Privileges

Black Hat USA 2017 Exploiting The DRAM Rowhammer Bug To Gain Kernel Privileges

36C3 - Plundervolt: Flipping Bits from Software without Rowhammer

#HITBLockdown002 - D1T1 - Secret Flaws of In-DRAM RowHammer Mitigations - E. Vannacci & P. Frigo

rowhammer

Rowhammer attacks explained simply

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Fundamentally Understanding and Solving RowHammer by A. Giray Yaglikci

Rowhammer attack against RAM memory cards that bypass all current defenses

Another Flip in the Wall of Rowhammer Defenses

Exploiting Correcting Codes On the Effectiveness of ECC Memory Against Rowhammer Attacks

DRAMA: How Your DRAM Becomes a Security Problem

Row Hammer: Flipping Bits in Memory Without Accessing Them - Papers We Love #026

Another Flip in the Row

RuhrSec 2017: 'Rowhammer Attacks: A Walkthrough Guide', Dr. Clémentine Maurice & Danie...

Plundervolt: Flipping Bits from Software without Rowhammer

Rowhammer Pwns DRAM - Daily Security Byte EP.42

rowhammer

RAMBleed: Reading Bits in Memory Without Accessing Them

Leveraging EM Side-Channel Information to Detect Rowhammer Attacks

RAMBleed: Reading Bits in Memory without Accessing Them

RuhrSec 2016: 'Cache Side-Channel Attacks and the case of Rowhammer', Daniel Gruss

A Blackbox Fuzzer For Bypassing Rowhammer Mitigation On DDR4 DRAM by Patrick Jattke and Stijn Gunter