Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Presented at Black Hat USA 2015, Aug. 5, 2015, 1:50 p.m. (50 minutes).

"Rowhammer" is a problem with DRAM in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. While the industry has known about the problem for a while and has started mitigating the problem in newer hardware, it was rarely mentioned in public until the publication of Yoongu Kim et al's paper in the summer of 2014 which included hard data about the prevalence of the problem. In spite of the paper's speculations about the exploitability of the issue, most people still classified rowhammer as only a reliability issue - the probabilistic aspect of the problem seems to have made people think exploitability would be impractical.

We have shown that rowhammer is practically exploitable in real-world scenarios - both in-browser through NaCl, and outside of the browser to escalate to kernel privileges. The probabilistic aspect can be effectively tamed so that the problem can be reliably exploited.

Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue.

We will discuss the details of our two exploits cause and use bit flips, and how the rowhammer problem can be mitigated. We will explore whether it is possible to cause row hammering using normal cached memory accesses.


Presenters:

  • Mark Seaborn - Google
    Mark Seaborn has been working on sandboxing for ten years. Currently, he works on the Native Client (NaCl) sandbox used in Google Chrome for running native code on the web, and on PNaCl --NaCl's cross-architecture portability layer, based on LLVM. Mark has found various vulnerabilities in the NaCl sandbox and usually writes proof-of-concept exploits for the bugs he finds.
  • Halvar Flake
    Halvar Flake has been doing security and reverse engineering for a long time.

Links:

Similar Presentations: