Uncategorized

Rowhammer

Wow, there are a lot of Rowhammer stories in the news recently.

 

https://github.com/vusec/drammer

Drammer: Flip Feng Shui Goes Mobile

 

http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/

 

Standard
Uncategorized

Jacob Torrey: coding in a post-Rowhammer world

Jacob Torrey has a presentation on ROWHAMMER:

[…] Earlier this year at TROOPERS I presented on how many tenets of the LangSec theories could be integrated into a modern SDLC through providing a framework for “verification-oriented programming”. This idea revolved around the notion that “to err is human, to be caught at compile-time (or as close to it as possible) divine”, and that developers are going to make mistakes, but a good SDLC should be able to catch those bugs rapidly. […]

 

http://blog.jacobtorrey.com/rowhammer-defensive-programming

Standard
Uncategorized

New Linux VM Rowhammer attack

Catalin Cimpanu has a story in Softpedia about a new use of Rowhammer:

New FFS Rowhammer Attack Hijacks Linux VMs: Attack was successful in tests against Debian and Ubuntu

Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective in compromising Linux VMs, often used for cloud hosting services. The Rowhammer attack was discovered two years ago and caused a lot of stir when researchers disclosed it because it showed how, by bombarding a row of memory cells, an attacker could reverse binary zeros into ones and vice versa. […]

http://news.softpedia.com/news/new-ffs-rowhammer-attack-targets-linux-vm-setups-507290.shtml

Standard
Uncategorized

DRAMA

“DRAMA Reverse-Engineering Tool and Side-Channel Tools

This repository contains several tools to reverse engineer the undocument DRAM addressing functions on Intel CPUs. These DRAM addressing functions uncovered a new side channel, enabling DRAMA (DRAM addressing) attacks. These attacks exploit the DRAM row buffer that is shared, even in multi-processor systems. Apart from that our attack improves Rowhammer attacks and enabled the first successful Rowhammer attacks on DDR4 memory.

The “DRAMA” paper by Pessl, Gruss, Maurice, Schwarz, and Mangard will be published at the Usenix Security Symposium 2016.”

https://github.com/IAIK/drama

Standard
Uncategorized

Deduplication Rowhammer Windows exploitation

There’s a new research paper on using Deduplication and Rowhammer against Windows. Abstract:

Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 8.1 and Windows 10 operating systems. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system. In this paper, we demonstrate that the deduplication side channel is much more powerful than previously assumed, potentially providing an attacker with a weird machine to read arbitrary data in the system. We first show that an attacker controlling the alignment and reuse of data in memory is able to perform byte-by-byte disclosure of sensitive data (such as randomized 64 bit pointers). Next, even without control over data alignment or reuse, we show that an attacker can still disclose high-entropy randomized pointers using a birthday attack. To show these primitives are practical, we present an end-to-end JavaScript-based attack against the new Microsoft Edge browser, in absence of software bugs and with all defenses turned on. Our attack combines our deduplication-based primitives with a reliable Rowhammer exploit to gain arbitrary memory read and write access in the browser. We conclude by extending our JavaScript-based attack to cross-process system-wide exploitation (using the popular nginx web server as an example) and discussing mitigation strategies.

http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf
http://www.cs.vu.nl/~herbertb/download/papers/dedup-est-machina_sp16.pdf

Standard
Uncategorized

Rowhammer for AMD

A Tale of Two Hammers: A Brief Rowhammer Analysis of AMD vs. Intel
May 2016
Mark Lanteigne, CTO and Founder, Third I/O Inc.
This is the first addendum to Third I/O’s March 2016 Rowhammer report.

 

http://www.thirdio.com/rowhammera1.pdf
http://www.thirdio.com/rowhammer.pdf

Standard