Another Flip in the Wall of Rowhammer Defenses

Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, Yuval Yarom

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. Our Rowhammer enclave can be used for coordinated denial-of-service attacks in the cloud and for privilege escalation on personal computers. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.
Originalspracheenglisch
Titel39th IEEE Symposium on Security and Privacy 2018
PublikationsstatusElektronische Veröffentlichung vor Drucklegung. - 31 Jan 2018

Schlagwörter

    Dies zitieren

    Gruss, D., Lipp, M., Schwarz, M., Genkin, D., Juffinger, J., O'Connell, S., ... Yarom, Y. (2018). Another Flip in the Wall of Rowhammer Defenses. in 39th IEEE Symposium on Security and Privacy 2018

    Another Flip in the Wall of Rowhammer Defenses. / Gruss, Daniel; Lipp, Moritz; Schwarz, Michael; Genkin, Daniel; Juffinger, Jonas; O'Connell, Sioli; Schoechl, Wolfgang; Yarom, Yuval.

    39th IEEE Symposium on Security and Privacy 2018. 2018.

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Gruss, D, Lipp, M, Schwarz, M, Genkin, D, Juffinger, J, O'Connell, S, Schoechl, W & Yarom, Y 2018, Another Flip in the Wall of Rowhammer Defenses. in 39th IEEE Symposium on Security and Privacy 2018.
    Gruss D, Lipp M, Schwarz M, Genkin D, Juffinger J, O'Connell S et al. Another Flip in the Wall of Rowhammer Defenses. in 39th IEEE Symposium on Security and Privacy 2018. 2018
    Gruss, Daniel ; Lipp, Moritz ; Schwarz, Michael ; Genkin, Daniel ; Juffinger, Jonas ; O'Connell, Sioli ; Schoechl, Wolfgang ; Yarom, Yuval. / Another Flip in the Wall of Rowhammer Defenses. 39th IEEE Symposium on Security and Privacy 2018. 2018.
    @inproceedings{4ce23375efcd4518942b8f281e44922e,
    title = "Another Flip in the Wall of Rowhammer Defenses",
    abstract = "The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. Our Rowhammer enclave can be used for coordinated denial-of-service attacks in the cloud and for privilege escalation on personal computers. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.",
    keywords = "cs.CR",
    author = "Daniel Gruss and Moritz Lipp and Michael Schwarz and Daniel Genkin and Jonas Juffinger and Sioli O'Connell and Wolfgang Schoechl and Yuval Yarom",
    year = "2018",
    month = "1",
    day = "31",
    language = "English",
    booktitle = "39th IEEE Symposium on Security and Privacy 2018",

    }

    TY - GEN

    T1 - Another Flip in the Wall of Rowhammer Defenses

    AU - Gruss, Daniel

    AU - Lipp, Moritz

    AU - Schwarz, Michael

    AU - Genkin, Daniel

    AU - Juffinger, Jonas

    AU - O'Connell, Sioli

    AU - Schoechl, Wolfgang

    AU - Yarom, Yuval

    PY - 2018/1/31

    Y1 - 2018/1/31

    N2 - The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. Our Rowhammer enclave can be used for coordinated denial-of-service attacks in the cloud and for privilege escalation on personal computers. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.

    AB - The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowhammer bug or its exploitation. However, the state of the art provides insufficient insight on the completeness of these defenses. In this paper, we present novel Rowhammer attack and exploitation primitives, showing that even a combination of all defenses is ineffective. Our new attack technique, one-location hammering, breaks previous assumptions on requirements for triggering the Rowhammer bug, i.e., we do not hammer multiple DRAM rows but only keep one DRAM row constantly open. Our new exploitation technique, opcode flipping, bypasses recent isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries. We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker-chosen physical locations. Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system, making any inspection or detection of the attack infeasible. Our Rowhammer enclave can be used for coordinated denial-of-service attacks in the cloud and for privilege escalation on personal computers. We demonstrate that our attacks evade all previously proposed countermeasures for commodity systems.

    KW - cs.CR

    M3 - Conference contribution

    BT - 39th IEEE Symposium on Security and Privacy 2018

    ER -