Nethammer: Inducing Rowhammer Faults through Network Requests

(Submitted on 13 May 2018)

A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. Classical fault attacks show that this assumption does not hold if the attacker has physical access. Rowhammer attacks showed that local code execution is already sufficient to break this assumption. Rowhammer exploits parasitic effects in DRAM to modify the content of a memory cell without accessing it. Instead, other memory locations are accessed at a high frequency. All Rowhammer attacks so far were local attacks, running either in a scripted language or native code. In this paper, we present Nethammer. Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer. Other systems can still be attacked if they are protected with quality-of-service techniques like Intel CAT. We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios. Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service. We investigated Nethammer on personal computers, servers, and mobile phones. Nethammer is a security landslide, making the formerly local attack a remote attack.








GLitch: a remote Rowhammer exploit on ARM Android devices

What is GLitch?

GLitch is one part of our series of Rowhammer attacks. We started by breaking the EDGE browser and the cloud. Then we moved towards Android devices showing how to root them with bit flips. This time we wanted to show that also mobile phones can be attacked remotely via the browser.
Meet GLitch: the first instance of a remote Rowhammer exploit on ARM Android devices. This makes it possible for an attacker who controls a malicious website to get remote code execution on a smartphone without relying on any software bug.
You want to know what makes this attack even cooler? It is carried out by the GPU. This is the first GPU-accelerated Rowhammer attack.[…]




Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security

Intrinsic Rowhammer PUFs: Leveraging the Rowhammer Effect for Improved Security

Physically Unclonable Functions (PUFs) have become an important and promising hardware primitive for device fingerprinting, device identification, or key storage. Intrinsic PUFs leverage components already found in existing devices, unlike extrinsic silicon PUFs, which are based on customized circuits that involve modification of hardware. In this work, we present a new type of a memory-based intrinsic PUF, which leverages the Rowhammer effect in DRAM modules – the Rowhammer PUF. Our PUF makes use of bit flips, which occur in DRAM cells due to rapid and repeated access of DRAM rows. Prior research has mainly focused on Rowhammer attacks, where the Rowhammer effect is used to illegitimately alter data stored in memory, e.g., to change page table entries or enable privilege escalation attacks. Meanwhile, this is the first work to use the Rowhammer effect in a positive context – to design a novel PUF. We extensively evaluate the Rowhammer PUF using commercial, off-the-shelf devices, not relying on custom hardware or an FPGA-based setup. The evaluation shows that the Rowhammer PUF holds required properties needed for the envisioned security applications, and could be deployed today.


The mysterious case of the Linux Page Table Isolation patches

WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.

The mysterious case of the Linux Page Table Isolation patches

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.

See-also: https://firmwaresecurity.com/2017/12/07/tu-graz-story-on-rowhammer/


TU Graz story on rowhammer

TU Graz News
When rowhammer only knocks once
04 Dec 2017 | Planet Research | FoE Information, Communication & Computing
By Birgit Baustädter
Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack – and raise questions about protective mechanisms. There is a huge computer screen with a lot of words on it. In the background there are four men. The research team with Michael Schwarz (left), Daniel Gruss (second from left) and Moritz Lipp (right) as well as working group leader Stefan Mangard.“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.[…]



There is a huge computer screen with a lot of words on it. In the background there are four men.


Hammertime: rowhammer testing/profiling/simulating suite

Hammertime: a software suite for testing, profiling and simulating the rowhammer DRAM defect. Includes the following components:
* libramses: a library that handles address translation for the entire memory stack.
* libperfev-util: a library providing a more human-friendly interface to Linux’s performance event API.
* Probes for monitoring memory access behaviour of running programs.
* Predictors that decide whether a certain memory access behaviour triggers rowhammer.
* Glue code to tie all this together and effect bit flips in memory.
* Fliptables: example profiles of rowhammer-vulnerable DRAM chips, usable by a dedicated predictor.
* Various cool tools and utilities:
+ tools/profile: a tool to test a running system’s vulnerability to rowhammer.
+ py/prettyprofile.py converts a profile output into something more human-friendly.
+ py/hammerprof.py converts a profile output into a fliptable.
+ py/common_flips.py processes multiple profile results selecting only bit flips common to all. Useful for finding bit flips that can be reliably triggered.
+ py/pyramses is a Python interface to libramses.
+ py/hammertime/ contains Python interfaces to work with profile results and fliptables.
+ py/hammertime/estimate.py is a framework for rapidly estimating Rowhammer attack effectiveness, based on exploit models and profile results.
+ ramses/tools/msys_detect.py is an interactive tool for detecting current system memory configuration.