Advertisement

Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

  • Daniel GrussEmail author
  • Clémentine Maurice
  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)

Abstract

A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today’s memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks.

All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments.

We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.

Notes

Acknowledgments

We would like to thank our shepherd Stelios Sidiroglou-Douskos and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Mark Seaborn, Thomas Dullien, Yossi Oren, Yuval Yarom, Barbara Aichinger, Peter Pessl and Raphael Spreitzer for feedback and advice.

Open image in new window Supported by the EU Horizon 2020 programme under GA No. 644052 (HECTOR), the EU FP7 programme under GA No. 610436 (MATTHEW), the Austrian Research Promotion Agency (FFG) and Styrian Business Promotion Agency (SFG) under GA No. 836628 (SeCoS), and Cryptacus COST Action IC1403.

References

  1. 1.
    Aichinger, B.: DDR memory errors caused by Row Hammer. In: HPEC 2015 (2015)Google Scholar
  2. 2.
    Aichinger, B.: Row Hammer Failures in DDR Memory. In: memcon 2015 (2015)Google Scholar
  3. 3.
    Al-Ars, Z.: DRAM fault analysis and test generation. TU Delft (2005)Google Scholar
  4. 4.
    Aweke, Z.B., Yitbarek, S.F., Qiao, R., Das, R., Hicks, M., Oren, Y., Austin, T.: ANVIL: Software-based protection against next-generation rowhammer attacks. In: ASLPOS 2016 (2016)Google Scholar
  5. 5.
    Bains, K., Halbert, J.: Row hammer monitoring based on stored row hammer threshold value (Jun 5 2014), US Patent App. 13/690,523Google Scholar
  6. 6.
    Bains, K., Halbert, J., Mozak, C., Schoenborn, T., Greenfield, Z.: Row hammer refresh command (Jan 2 2014), US Patent App. 13/539,415Google Scholar
  7. 7.
    Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015 (2015)Google Scholar
  8. 8.
    Bernstein, D.J.: Cache-timing attacks on AES. Technical report, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago (2005)Google Scholar
  9. 9.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed javascript. In: Pernul, G., et al. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 108–122. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-24174-6_6 CrossRefGoogle Scholar
  12. 12.
    Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: DIMVA 2016 (2016)Google Scholar
  13. 13.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security 2015 (2015)Google Scholar
  14. 14.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)Google Scholar
  15. 15.
    Herath, N., Fogh, A.: These are Not Your Grand Daddys CPU Performance Counters - CPU Hardware Performance Counters for Security. Black Hat (2015)Google Scholar
  16. 16.
    Huang, R.F., Yang, H.Y., Chao, M.C.T., Lin, S.C.: Alternate hammering test for application-specific DRAMs and an industrial case study. In: DAC 2012 (2012)Google Scholar
  17. 17.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S&P 2013 (2013)Google Scholar
  18. 18.
    Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Cryptology ePrint Archive, Report 2015/898, pp. 1–15 (2015)Google Scholar
  19. 19.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P 2015 (2015)Google Scholar
  20. 20.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ISCA 2014 (2014)Google Scholar
  21. 21.
    Lanteigne, M.: How rowhammer could be used to exploit weakness weaknesses in computer hardware, March 2016. http://www.thirdio.com/rowhammer.pdf
  22. 22.
    Lipp, M., Gruss, D., Spreitzer, R., Mangard, S.: Armageddon: last-level cache attacks on mobile devices. CoRR abs/1511.04897 (2015)Google Scholar
  23. 23.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)Google Scholar
  24. 24.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: RAID 2015 (2015)Google Scholar
  25. 25.
    Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  26. 26.
  27. 27.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in javascript and their implications. In: CCS 2015 (2015)Google Scholar
  28. 28.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Park, K., Baeg, S., Wen, S., Wong, R.: Active-precharge hammering on a row induced failure in DDR3 SDRAMs under 3x nm technology. In: IIRW 2014 (2014)Google Scholar
  30. 30.
    Payer, M.: HexPADS: a platform to detect “stealth” attacks. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_9 CrossRefGoogle Scholar
  31. 31.
    Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)Google Scholar
  32. 32.
    Pessl, P., Gruss, D., Maurice, C., Mangard, S.: Reverse engineering intel DRAM addressing and exploitation. CoRR abs/1511.08756 (2015)Google Scholar
  33. 33.
    Qureshi, M.K., Jaleel, A., Patt, Y.N., Steely, S.C., Emer, J.: Adaptive insertion policies for high performance caching. ACM SIGARCH Comput. Archit. News 35(2), 381 (2007)CrossRefGoogle Scholar
  34. 34.
    Rahmati, A., Hicks, M., Holcomb, D.E., Fu, K.: Probable cause: the deanonymizing effects of approximate DRAM. In: ISCA 2015 (2015)Google Scholar
  35. 35.
    Seaborn, M.: How physical addresses map to rows and banks in DRAM, May 2015. http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html. Accessed 20 July 2015
  36. 36.
    Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat (2015)Google Scholar
  37. 37.
    W3C: High Resolution Time Level 2–W3C Working Draft 21, July 2015. http://www.w3.org/TR/2015/WD-hr-time-2-20150721/#privacy-security
  38. 38.
    Wong, H.: Intel Ivy Bridge Cache Replacement Policy. http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/. Accessed 16 July 2015
  39. 39.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security 2014 (2014)Google Scholar
  40. 40.
    Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel Last-Level Cache. Cryptology ePrint Archive, Report 2015/905, pp. 1–12 (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Daniel Gruss
    • 1
    Email author
  • Clémentine Maurice
    • 1
  • Stefan Mangard
    • 1
  1. 1.Graz University of TechnologyGrazAustria

Personalised recommendations