Rowhammer.js - Papers We Love (May 2016)
-
Upload
donny-nadolny -
Category
Software
-
view
166 -
download
0
Transcript of Rowhammer.js - Papers We Love (May 2016)
2016−05−04
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
Donny Nadolny [email protected] / [email protected] Papers We Love, May 2016 Paper by Daniel Gruss, Clémentine Maurice, and Stefan Mangard
2016−05−04ROWHAMMER.JS
• Software-exploitable hardware flaw • Cause bit flips in memory
• Can be exploited to get root on a machine, escape from a JVM, break out of a browser
Rowhammer - Impact
2016−05−04ROWHAMMER.JS
• DRAM • Vulnerable to rowhammer (110 / 129 modules tested)
• Most RAM is DRAM • SRAM
• Not vulnerable • Used in your CPU cache
Rowhammer - What’s Affected
2016−05−04ROWHAMMER.JS
DRAM - Simplified One Bit Cell
Transistor
Capacitor
Ground
Sense amplifier
Latch (buffer)
2016−05−04ROWHAMMER.JS
• Capacitor charge decays over time • Need to refresh
• Reading a row causes adjacent rows to leak their charge at an increased rate
DRAM - 4x4
2016−05−04ROWHAMMER.JS
1 code1a: 2 mov (X), %eax 3 mov (Y), %ebx 4 clflush (X) 5 clflush (Y) 6 mfence 7 jmp code1a
Rowhammer (Assembly)
2016-05-03MAKING PAGERDUTY MORE RELIABLE USING PXC
Exploiting Rowhammer
2016−05−04ROWHAMMER.JS
Virtual MemoryPhysical MemoryProcess 1 Virtual Memory
Process 2 Virtual Memory
2016−05−04ROWHAMMER.JS
Virtual MemoryPhysical MemoryProcess 1 Virtual Memory
Process 2 Virtual Memory
Page Table Entry
Physical Address Flags
2016−05−04ROWHAMMER.JS
Filling MemoryPhysical MemoryProcess 1 Virtual Memory
2016−05−04ROWHAMMER.JS
Filling Memory - Bit Flip In PTEPhysical MemoryProcess 1 Virtual Memory
2016−05−04ROWHAMMER.JS
Filling Memory - Change Your PTEPhysical MemoryProcess 1 Virtual Memory
2016-05-03MAKING PAGERDUTY MORE RELIABLE USING PXC
Rowhammer.js - no clflush
2016−05−04ROWHAMMER.JS
• Target memory address p • Access other memory addresses so that p is evicted from cache,
then accessing p will hit memory, repeat
• Naive approach: access sizeof(cache), then p
Rowhammering without clflush
2016−05−04ROWHAMMER.JS
• CPU cache is a fixed size array • Direct mapped, set associative, fully associative
• Barriers for attacking set associative caches: • Undocumented addressing function
• Undocumented / proprietary eviction strategy
CPU Cache
2016−05−04ROWHAMMER.JS
1. Add random addresses until target address isn’t cached
Adaptive Eviction Algorithm - Step 1Access p
while cached(p) do
Choose random 64-byte-
aligned address r from eviction buffer
Insert r into eviction list
e twice at two random positions
end
2016−05−04ROWHAMMER.JS
1. Add random addresses until target address isn’t cached
2. Replace all instances of a random address with other addresses in the list until you can’t replace any address
Adaptive Eviction Algorithm - Step 2Set c = 0
while c < |e| and not cached(p) do
Choose random index r in e
Store all indices ri where e[r] = e[ri]
Replace all e[ri] with e[ri - 1]
if cached(p) then
Undo changes for all indices ri
Set c = c + 1
else
Set c = 0
end
end
2016−05−04ROWHAMMER.JS
1. Add random addresses until target address isn’t cached
2. Replace all instances of a random address with other addresses in the list until you can’t replace any address
3. Remove elements one by one until you can’t remove any more
Adaptive Eviction Algorithm - Step 3Set c = 0
while c < |e| and not cached(p) do
Remove random element from e
if cached(p) then
Undo changes
Set c = c + 1
else
Set c = 0
end
end
2016−05−04ROWHAMMER.JS
• Finding a cache eviction memory access sequence: • up to 1 hour for fallback attack
• “a few seconds” for assumption based attack • Finding a useful repeatable bit flip:
• “several hours”
Practicality of Exploiting Rowhammer.js
2016−05−04ROWHAMMER.JS
• Increase refresh rate: Mostly, but bad efficiency (power usage & data transfer)
• ECC (Error Correcting Codes): Nope, just lowers probability • TRR and pTRR ([pseudo] Target Refresh Rate) / PARA
(Probabilistic Adjacent Row Activation): Yes, though requires a hardware change
• ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks: Yes (for all current attacks), but affects performance
Countermeasures
2016−05−04ROWHAMMER.JS
• Rowhammer.js: A Remote Software-Induced Fault Injection Attack in JavaScript
• https://github.com/google/rowhammer-test - Check your machine • https://github.com/IAIK/rowhammerjs - Sorry, no exploit PoC
• ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks - prevention via performance counters
• Using Memory Errors to Attack a Virtual Machine [2003] - JVM
• Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors - original rowhammer paper
Related Papers / Code