Abstract
A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today’s memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks.
All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments.
We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.
C. Maurice—Part of the work was done while author was affiliated to Technicolor and Eurecom.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A draft of this paper was published online since July 24, 2015.
References
Aichinger, B.: DDR memory errors caused by Row Hammer. In: HPEC 2015 (2015)
Aichinger, B.: Row Hammer Failures in DDR Memory. In: memcon 2015 (2015)
Al-Ars, Z.: DRAM fault analysis and test generation. TU Delft (2005)
Aweke, Z.B., Yitbarek, S.F., Qiao, R., Das, R., Hicks, M., Oren, Y., Austin, T.: ANVIL: Software-based protection against next-generation rowhammer attacks. In: ASLPOS 2016 (2016)
Bains, K., Halbert, J.: Row hammer monitoring based on stored row hammer threshold value (Jun 5 2014), US Patent App. 13/690,523
Bains, K., Halbert, J., Mozak, C., Schoenborn, T., Greenfield, Z.: Row hammer refresh command (Jan 2 2014), US Patent App. 13/539,415
Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015 (2015)
Bernstein, D.J.: Cache-timing attacks on AES. Technical report, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago (2005)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed javascript. In: Pernul, G., et al. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 108–122. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24174-6_6
Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: DIMVA 2016 (2016)
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security 2015 (2015)
Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)
Herath, N., Fogh, A.: These are Not Your Grand Daddys CPU Performance Counters - CPU Hardware Performance Counters for Security. Black Hat (2015)
Huang, R.F., Yang, H.Y., Chao, M.C.T., Lin, S.C.: Alternate hammering test for application-specific DRAMs and an industrial case study. In: DAC 2012 (2012)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S&P 2013 (2013)
Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Cryptology ePrint Archive, Report 2015/898, pp. 1–15 (2015)
Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P 2015 (2015)
Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)
Lanteigne, M.: How rowhammer could be used to exploit weakness weaknesses in computer hardware, March 2016. http://www.thirdio.com/rowhammer.pdf
Lipp, M., Gruss, D., Spreitzer, R., Mangard, S.: Armageddon: last-level cache attacks on mobile devices. CoRR abs/1511.04897 (2015)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)
Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: RAID 2015 (2015)
Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)
Micron: Designing for 1Gb DDR SDRAM (2003). https://www.micron.com/~/media/documents/products/technical-note/dram/tn4609.pdf
Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in javascript and their implications. In: CCS 2015 (2015)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Park, K., Baeg, S., Wen, S., Wong, R.: Active-precharge hammering on a row induced failure in DDR3 SDRAMs under 3x nm technology. In: IIRW 2014 (2014)
Payer, M.: HexPADS: a platform to detect “stealth” attacks. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30806-7_9
Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)
Pessl, P., Gruss, D., Maurice, C., Mangard, S.: Reverse engineering intel DRAM addressing and exploitation. CoRR abs/1511.08756 (2015)
Qureshi, M.K., Jaleel, A., Patt, Y.N., Steely, S.C., Emer, J.: Adaptive insertion policies for high performance caching. ACM SIGARCH Comput. Archit. News 35(2), 381 (2007)
Rahmati, A., Hicks, M., Holcomb, D.E., Fu, K.: Probable cause: the deanonymizing effects of approximate DRAM. In: ISCA 2015 (2015)
Seaborn, M.: How physical addresses map to rows and banks in DRAM, May 2015. http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html. Accessed 20 July 2015
Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat (2015)
W3C: High Resolution Time Level 2–W3C Working Draft 21, July 2015. http://www.w3.org/TR/2015/WD-hr-time-2-20150721/#privacy-security
Wong, H.: Intel Ivy Bridge Cache Replacement Policy. http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/. Accessed 16 July 2015
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security 2014 (2014)
Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel Last-Level Cache. Cryptology ePrint Archive, Report 2015/905, pp. 1–12 (2015)
Acknowledgments
We would like to thank our shepherd Stelios Sidiroglou-Douskos and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Mark Seaborn, Thomas Dullien, Yossi Oren, Yuval Yarom, Barbara Aichinger, Peter Pessl and Raphael Spreitzer for feedback and advice.
Supported by the EU Horizon 2020 programme under GA No. 644052 (HECTOR), the EU FP7 programme under GA No. 610436 (MATTHEW), the Austrian Research Promotion Agency (FFG) and Styrian Business Promotion Agency (SFG) under GA No. 836628 (SeCoS), and Cryptacus COST Action IC1403.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Gruss, D., Maurice, C., Mangard, S. (2016). Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-40667-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40666-4
Online ISBN: 978-3-319-40667-1
eBook Packages: Computer ScienceComputer Science (R0)