Litcius/Paper detail

PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses

Zhi Zhang, Yueqiang Cheng, Dongxi Liu, ‪Surya Nepal‬, Zhi Wang, Yuval Yarom

202064 citationsDOI

Abstract

Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to memory can induce bit flips in neighboring memory locations. Being a hardware vulnerability, rowhammer bypasses all of the system memory protection, allowing adversaries to compromise the integrity and confidentiality of data. Rowhammer attacks have shown to enable privilege escalation, sandbox escape, and cryptographic key disclosures.Recently, several proposals suggest exploiting the spatial proximity between the accessed memory location and the location of the bit flip for a defense against rowhammer. These all aim to deny the attacker's permission to access memory locations near sensitive data.In this paper, we question the core assumption underlying these defenses. We present PThammer, a confused-deputy attack that causes accesses to memory locations that the attacker is not allowed to access. Specifically, PThammer exploits the address translation process of modern processors, inducing the processor to generate frequent accesses to protected memory locations. We implement PThammer, demonstrating that it is a viable attack, resulting in a system compromise (e.g., kernel privilege escalation). We further evaluate the effectiveness of proposed software-only defenses showing that PThammer can overcome those.

Topics & Concepts

Computer scienceDramMemory protectionComputer securityPermissionKernel (algebra)Vulnerability (computing)ExploitEmbedded systemOperating systemMemory managementComputer hardwareSemiconductor memoryVirtual memoryCombinatoricsMathematicsPolitical scienceLawSecurity and Verification in ComputingCloud Data Security SolutionsDiamond and Carbon-based Materials Research
PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses | Litcius