Winter is Coming Back: Defeating the Most Advanced Rowhammer Defenses to Gain Root and Kernel Privileges

Presented at Black Hat Asia 2019, March 28, 2019, 3:30 p.m. (60 minutes)

Rowhammer attacks can break the MMU-enforced memory protection to achieve privilege escalation, without requiring any software vulnerability. To mitigate such an attack, numerous software-only countermeasures have been proposed.

In this talk, we will present a novel exploit that is able to effectively break the most advanced rowhammer defense. The exploit allows an unprivileged user application to gain both root and kernel privileges. Further, the exploit is stealthier and more efficient compared to existing rowhammer exploits.

To demonstrate the effectiveness of the exploit, we will show live demos of two successful attacks on a real system. One is to gain the root privilege and the other is to gain the kernel privilege.

Finally, we offer possible mitigations against our proposed exploit, and call for more parties to join in this effort to enhance the system security.

Presenters:

• Zhi Wang - Associate Professor, Florida State University
  Zhi Wang is an associate professor in the Department of Computer Science at the Florida State University. He has broad research interests in security with a focus on the systems security, particularly, operating systems/virtualization security, software security, and mobile security
• Surya Nepal - Professor, Data61, CSIRO, Australia
  Dr. Surya Nepal is a Principal Research Scientist at CSIRO Data61, Australia. His main research interest is in the development and implementation of technologies in the area of distributed systems including Web Services, Cloud Computing and Internet-of-Things, with a specific focus on security, privacy and trust. He received his PhD degree from RMIT University, Australia in 2000.
• Zhi Zhang - PhD Student, Data61, CSIRO, Australia
  Zhi Zhang is a PhD student in the School of Computer Science and Engineering at the University of New South Wales. His research interests are in the areas of system security and virtualization. He received his undergraduate degree from Sichuan University in 2011 and his master's degree from Peking University in 2014.
• Yueqiang Cheng - Staff Security Scientist, Baidu USA
  Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Autonomous Driving Security.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#winter-is-coming-back-defeating-the-most-advanced-rowhammer-defenses-to-gain-root-and-kernel-privileges-13524
• https://www.youtube.com/watch?v=utftGDx4AVU

Similar Presentations:

• Black Hat USA 2018 / Another Flip in the Row
• 32C3 (2015) / Rowhammer.js: Root privileges for web apps?: A tale of fault attacks on DRAM and attacks on CPU caches
• Black Hat USA 2015 / Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges