Drammer: Deterministic Rowhammer attacks on mobile platforms

Victor Van Der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Lucie Noemie Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammerbased Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

Original languageEnglish
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation of Computing Machinery
Pages1675-1689
Number of pages15
Volume24-28-October-2016
ISBN (Electronic)9781450341394
DOIs
Publication statusPublished - 24 Oct 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: 24 Oct 201628 Oct 2016

Conference

Conference23rd ACM Conference on Computer and Communications Security, CCS 2016
CountryAustria
CityVienna
Period24/10/1628/10/16

Fingerprint

Data storage equipment
Dynamic random access storage
Smartphones
Concretes
Hardware

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Van Der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C. L. N., Vigna, G., ... Giuffrida, C. (2016). Drammer: Deterministic Rowhammer attacks on mobile platforms. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vol. 24-28-October-2016, pp. 1675-1689). Association of Computing Machinery. https://doi.org/10.1145/2976749.2978406

Drammer : Deterministic Rowhammer attacks on mobile platforms. / Van Der Veen, Victor; Fratantonio, Yanick; Lindorfer, Martina; Gruss, Daniel; Maurice, Clementine Lucie Noemie; Vigna, Giovanni; Bos, Herbert; Razavi, Kaveh; Giuffrida, Cristiano.

CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vol. 24-28-October-2016 Association of Computing Machinery, 2016. p. 1675-1689.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Van Der Veen, V, Fratantonio, Y, Lindorfer, M, Gruss, D, Maurice, CLN, Vigna, G, Bos, H, Razavi, K & Giuffrida, C 2016, Drammer: Deterministic Rowhammer attacks on mobile platforms. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. vol. 24-28-October-2016, Association of Computing Machinery, pp. 1675-1689, 23rd ACM Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, 24/10/16. https://doi.org/10.1145/2976749.2978406
Van Der Veen V, Fratantonio Y, Lindorfer M, Gruss D, Maurice CLN, Vigna G et al. Drammer: Deterministic Rowhammer attacks on mobile platforms. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vol. 24-28-October-2016. Association of Computing Machinery. 2016. p. 1675-1689 https://doi.org/10.1145/2976749.2978406
Van Der Veen, Victor ; Fratantonio, Yanick ; Lindorfer, Martina ; Gruss, Daniel ; Maurice, Clementine Lucie Noemie ; Vigna, Giovanni ; Bos, Herbert ; Razavi, Kaveh ; Giuffrida, Cristiano. / Drammer : Deterministic Rowhammer attacks on mobile platforms. CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vol. 24-28-October-2016 Association of Computing Machinery, 2016. pp. 1675-1689
@inproceedings{858d3426e09a43be9054372a98776b2c,
title = "Drammer: Deterministic Rowhammer attacks on mobile platforms",
abstract = "Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammerbased Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.",
author = "{Van Der Veen}, Victor and Yanick Fratantonio and Martina Lindorfer and Daniel Gruss and Maurice, {Clementine Lucie Noemie} and Giovanni Vigna and Herbert Bos and Kaveh Razavi and Cristiano Giuffrida",
year = "2016",
month = "10",
day = "24",
doi = "10.1145/2976749.2978406",
language = "English",
volume = "24-28-October-2016",
pages = "1675--1689",
booktitle = "CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security",
publisher = "Association of Computing Machinery",
address = "United States",

}

TY - GEN

T1 - Drammer

T2 - Deterministic Rowhammer attacks on mobile platforms

AU - Van Der Veen, Victor

AU - Fratantonio, Yanick

AU - Lindorfer, Martina

AU - Gruss, Daniel

AU - Maurice, Clementine Lucie Noemie

AU - Vigna, Giovanni

AU - Bos, Herbert

AU - Razavi, Kaveh

AU - Giuffrida, Cristiano

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammerbased Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

AB - Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammerbased Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

UR - http://www.scopus.com/inward/record.url?scp=84995387443&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978406

DO - 10.1145/2976749.2978406

M3 - Conference contribution

VL - 24-28-October-2016

SP - 1675

EP - 1689

BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

PB - Association of Computing Machinery

ER -