Advertisement

Defeating Software Mitigations Against Rowhammer: A Surgical Precision Hammer

  • Andrei TatarEmail author
  • Cristiano Giuffrida
  • Herbert Bos
  • Kaveh Razavi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)

Abstract

With software becoming harder to compromise due to modern defenses, attackers are increasingly looking at exploiting hardware vulnerabilities such as Rowhammer. In response, the research community has developed several software defenses to protect existing hardware against this threat. In this paper, we show that the assumptions existing software defenses make about memory addressing are inaccurate. Specifically, we show that physical address space is often not contiguously mapped to DRAM address space, allowing attackers to trigger Rowhammer corruptions despite active software defenses. We develop RAMSES, a software library modeling end-to-end memory addressing, relying on public documentation, where available, and reverse-engineered models otherwise. RAMSES improves existing software-only Rowhammer defenses and also improves attacks by orders of magnitude, as we show in our evaluation. We use RAMSES to build Hammertime, an open-source suite of tools for studying Rowhammer properties affecting attacks and defenses, which we release as open-source software.

Keywords

Rowhammer Hammertime DRAM geometry 

References

  1. 1.
    ANVIL source code (2016). https://github.com/zaweke/rowhammer/tree/master/anvil. Accessed 03 Apr 2018
  2. 2.
    Advanced Micro Devices: BIOS and Kernel Developers Guide (BKDG) for AMD Family 15h Models 60h–6Fh Processors, May 2016Google Scholar
  3. 3.
    Aichinger, B.: DDR memory errors caused by row hammer. In: HPEC 2015 (2015)Google Scholar
  4. 4.
    Arcangeli, A.: Transparent hugepage support. In: KVM Forum (2010)Google Scholar
  5. 5.
    Aweke, Z.B., et al.: ANVIL: software-based protection against next-generation rowhammer attacks. In: ASPLOS 2016 (2016)Google Scholar
  6. 6.
    Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Over the edge: silently owning Windows 10’s secure browser. In: BHEU 2016 (2016)Google Scholar
  7. 7.
    Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est machina: memory deduplication as an advanced exploitation vector. In: SP 2016 (2016)Google Scholar
  8. 8.
    Brasser, F., Davi, L., Gens, D., Liebchen, C., Sadeghi, A.R.: Can’t touch this: software-only mitigation against rowhammer attacks targeting kernel memory. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, pp. 117–130. USENIX Association (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/brasser
  9. 9.
    Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40667-1_15CrossRefGoogle Scholar
  10. 10.
    JEDEC: DDR3 SDRAM STANDARD. JESD79-3C, November 2008Google Scholar
  11. 11.
    Kasamsetty, K.: DRAM scaling challenges and solutions in LPDDR4 context. In: MemCon 2014 (2014)Google Scholar
  12. 12.
    Khan, S., Wilkerson, C., Wang, Z., Alameldeen, A.R., Lee, D., Mutlu, O.: Detecting and mitigating data-dependent DRAM failures by exploiting current memory content. In: MICRO 2017 (2017)Google Scholar
  13. 13.
    Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)Google Scholar
  14. 14.
    Lanteigne, M.: A Tale of Two Hammers: A Brief Rowhammer Analysis of AMD vs. Intel, May 2016. http://www.thirdio.com/rowhammera1.pdf
  15. 15.
    Lanteigne, M.: How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware. SEMICON China (2016)Google Scholar
  16. 16.
    Meza, J., Wu, Q., Kumar, S., Mutlu, O.: Revisiting memory errors in large-scale production data centers: analysis and modeling of new trends from the field. In: DSN 2015 (2015)Google Scholar
  17. 17.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: DRAMA: exploiting DRAM addressing for cross-CPU attacks. In: SEC 2016 (2016)Google Scholar
  18. 18.
    Qiao, R., Seaborn, M.: A new approach for rowhammer attacks. In: 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 161–166, May 2016.  https://doi.org/10.1109/HST.2016.7495576
  19. 19.
    Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: SEC 2016 (2016)Google Scholar
  20. 20.
    Seaborn, M.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: BH 2015 (2015)Google Scholar
  21. 21.
    van der Veen, V., et al.: Drammer: deterministic rowhammer attacks on mobile platforms. In: CCS 2016 (2016)Google Scholar
  22. 22.
    Xiao, Y., Zhang, X., Zhang, Y., Teodorescu, M.R.: One bit flips, one cloud flops: cross-VM row hammer attacks and privilege escalation. In: SEC 2016 (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Andrei Tatar
    • 1
    Email author
  • Cristiano Giuffrida
    • 1
  • Herbert Bos
    • 1
  • Kaveh Razavi
    • 1
  1. 1.Vrije Universiteit AmsterdamAmsterdamThe Netherlands

Personalised recommendations