Advertisement

GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM

  • Victor van der Veen
  • Martina Lindorfer
  • Yanick Fratantonio
  • Harikrishnan Padmanabha Pillai
  • Giovanni Vigna
  • Christopher Kruegel
  • Herbert Bos
  • Kaveh Razavi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10885)

Abstract

Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability.

Since hardware-level mitigations cannot be backported, a search for software defenses is pressing. Proposals made by both academia and industry, however, are either impractical to deploy, or insufficient in stopping all attacks: we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.

To mitigate Rowhammer exploitation on ARM, we propose guardion, a lightweight defense that prevents DMA-based attacks—the main attack vector on mobile devices—by isolating DMA buffers with guard rows. We evaluate guardion on 22 benchmark apps and show that it has a negligible memory overhead (2.2 MB on average). We further show that we can improve system performance by re-enabling higher order allocations after Google disabled these as a reaction to previous attacks.

Notes

Acknowledgments

We thank the anonymous reviewers for their valuable comments and input to improve the paper, as well as Pietro Frigo for his help on understanding GLitch.

This work was supported by the Netherlands Organisation for Scientific Research through grants NWO CSI-DHS 628.001.021, by the European Commission through project H2020 ICT-32-2014 “SHARCS” under Grant Agreement No. 644571, the NSF under Award No. CNS-1408632, the ONR under Award No. N00014-17-1-2897, DARPA under agreement number FA8750-15-2-0084, and a Security, Privacy and Anti-Abuse award from Google. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views, position, official policies, or endorsements, either expressed or implied, of the U.S. Government, DARPA, ONR, NSF, or Google.

References

  1. 1.
    Low-Memory Shrinker API, October 2013. http://www.phonesdevelopers.info/1815288. Accessed 5 May 2017
  2. 2.
    cookie-butter: Python Script for Making Graphics Performance Charts for an Android App (2016). https://github.com/Turnsole/cookie-butter
  3. 3.
    Drammer: Native Binary for Testing Android Phones for the Rowhammer Bug (2016). https://github.com/vusec/drammer
  4. 4.
    Aweke, Z.B., Yitbarek, S.F., Qiao, R., Das, R., Hicks, M., Oren, Y., Austin, T.: ANVIL: software-based protection against next-generation Rowhammer attacks. In: Proceedings of ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2016)Google Scholar
  5. 5.
    Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2016)Google Scholar
  6. 6.
    Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: CAn’t touch this: practical and generic software-only defenses against Rowhammer attacks, November 2016. arXiv:1611.08396 [cs.CR]
  7. 7.
    Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Can’t touch this: practical and generic software-only defenses against Rowhammer attacks. In: Proceedings of USENIX Security Symposium (2017)Google Scholar
  8. 8.
    Cai, Y., Ghose, S., Luo, Y., Mai, K., Mutlu, O., Haratsch, E.F.: Vulnerabilities in MLC NAND flash memory programming: experimental analysis, exploits, and mitigation techniques. In: Proceedings of International Symposium on High-Performance Computer Architecture (HPCA) (2017)Google Scholar
  9. 9.
    Cheng, Y., Zhang, Z., Nepal, S.: Still hammerable and exploitable: on the effectiveness of software-only physical kernel isolation, February 2018. arXiv:1802.07060 [cs.CR]
  10. 10.
    Corbet, J.: Contiguous Memory Allocation for Drivers, July 2010. https://lwn.net/Articles/396702/
  11. 11.
    Corbet, J.: A Reworked Contiguous Memory Allocator, June 2011. https://lwn.net/Articles/447405/
  12. 12.
    Frigo, P., Giuffrida, C., Bos, H., Razavi, K.: Grand Pwning unit: accelerating microarchitectural attacks with the GPU. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2018)Google Scholar
  13. 13.
  14. 14.
    Google: ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG, November 2016. https://android.googlesource.com/device/google/marlin-kernel/
  15. 15.
    Gorman, M.: Understanding the Linux Virtual Memory Manager. Prentice Hall PTR, Upper Saddle River (2007)Google Scholar
  16. 16.
    Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Proceedings of Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2016)Google Scholar
  17. 17.
    JEDEC Solid State Technology Association: DDR3 SDRAM Specification. JESD79-3F (2012)Google Scholar
  18. 18.
    JEDEC Solid State Technology Association: Low Power Double Data 4 (LPDDR4). JESD209-4A (2015)Google Scholar
  19. 19.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: Proceedings of International Symposium on Computer Architecture (ISCA) (2014)Google Scholar
  20. 20.
    Lanteigne, M.: How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware, March 2016. http://www.thirdio.com/rowhammer.pdf
  21. 21.
    Nazarewicz, M.: A Deep Dive into CMA, March 2012. https://lwn.net/Articles/486301/
  22. 22.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: Proceedings of USENIX Security Symposium (2016)Google Scholar
  23. 23.
    Qiao, R., Seaborn, M.: A new approach for Rowhammer attacks. In: Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust (HOST) (2016)Google Scholar
  24. 24.
    Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: Proceedings of USENIX Security Symposium (2016)Google Scholar
  25. 25.
    Schaller, A., Xiong, W., Salee, M.U., Anagnostopoulos, N.A., Katzenbeisser, S., Szefer, J.: Intrinsic rowhammer PUFs: leveraging the Rowhammer effect for improved security. In: Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust (HOST) (2017)Google Scholar
  26. 26.
    Seaborn, M., Dullien, T.: Exploiting the DRAM Rowhammer bug to gain kernel privileges. In: Black Hat USA (BH-US) (2015)Google Scholar
  27. 27.
    Aga, M.T., Aweke, Z.B., Austin, T.: When good protections go bad: exploiting anti-DoS measures to accelerate Rowhammer attacks. In: Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust (HOST) (2017)Google Scholar
  28. 28.
    van der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C., Vigna, G., Bos, H., Razavi, K., Giuffrida, C.: Drammer: deterministic Rowhammer attacks on mobile platforms. In: Proceedings of ACM Conference on Computer and Communications Security (CCS) (2016)Google Scholar
  29. 29.
    Vorontsov, A.: Android Low Memory Killer vs. Memory Pressure Notifications, December 2011. https://lkml.org/lkml/2011/12/18/173
  30. 30.
    Xiao, Y., Zhang, X., Zhang, Y., Teodorescu, M.R.: One bit flips, one cloud flops: cross-VM Rowhammer attacks and privilege escalation. In: Proceedings of USENIX Security Symposium (2016)Google Scholar
  31. 31.
    Zeng, T.M.: The Android ION Memory Allocator, February 2012. https://lwn.net/Articles/480055

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Victor van der Veen
    • 1
  • Martina Lindorfer
    • 3
  • Yanick Fratantonio
    • 4
  • Harikrishnan Padmanabha Pillai
    • 2
  • Giovanni Vigna
    • 3
  • Christopher Kruegel
    • 3
  • Herbert Bos
    • 1
  • Kaveh Razavi
    • 1
  1. 1.Vrije UniversiteitAmsterdamThe Netherlands
  2. 2.Amrita UniversityCoimbatoreIndia
  3. 3.University of CaliforniaSanta BarbaraUSA
  4. 4.EURECOMBiotFrance

Personalised recommendations