Skip to main content

TS

Another flip in the wall of rowhammer defenses

Authors

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl and Yuval Yarom

DATA61

Graz University of Technology

University of Adelaide

University of Pennsylvania & University of Maryland

Abstract

The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on how the Rowhammer bug can be triggered, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in shared binaries. We replace conspicuous and unstable memory spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.

BibTeX Entry

  @inproceedings{Gruss_LSGJOSY_18,
    publisher        = {IEEE},
    booktitle        = {IEEE Symposium on Security and Privacy},
    author           = {Gruss, Daniel and Lipp, Moritz and Schwarz, Michael and Genkin, Daniel and Juffinger, Jonas and
                        O'Connell, Sioli and Schoechl, Wolfgang and Yarom, Yuval},
    month            = may,
    year             = {2018},
    date             = {2018-5-21},
    title            = {Another Flip in the Wall of Rowhammer Defenses},
    pages            = {489-505},
    address          = {San Francisco, CA, US}
  }

Download

Served by Apache on Linux on seL4.