Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough,

Published byAlannah Morris Modified over 7 years ago

Similar presentations

Presentation on theme: "Drammer: Deterministic Rowhammer Attacks on Mobile Platforms A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough,"— Presentation transcript:

1 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough, like they've just done a tour in 'Nam. [slashdot] by

2 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Victor van der Veen 1, Yanick Fratantonio 2, Martina Lindorfer 2, Daniel Gruss 3, Clémentine Maurice 3, Giovanni Vigna 2, Herbert Bos 1, Kaveh Razavi 1, and Cristiano Giuffrida 1 1 Vrije Universiteit Amsterdam, 2 UC Santa Barbara, 3 TU Graz

3 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Your takeaway message of today

4 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Rowhammer on ARM Your takeaway message of today

5 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Rowhammer on ARM Deterministic exploitation Your takeaway message of today

6 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Rowhammer on ARM Deterministic exploitation Works on a Google Pixel Your takeaway message of today

7 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

8 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

9 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

10 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

11 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

12 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

13 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 1 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

14 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 0 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row

15 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Flipping bits in memory DRAM hardware glitch causing disturbance errors 1 1 0 1 0 1 0 0 1 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 Aggressor row Victim row Not every bit may flip Once a bit flips, we can reproduce it

16 1.Memory Templating Scan memory for useful bit flips Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

17 1.Memory Templating Scan memory for useful bit flips

18 2.Land sensitive data Store a crucial data structure on a vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

19 1.Memory Templating Scan memory for useful bit flips 2.Land sensitive data Store a crucial data structure on a vulnerable page 3.Reproduce the bit flip Modify the data structure and get root acces Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

20 1.Memory Templating Scan memory for useful bit flips Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

21 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating Uncached memory access clflush cache eviction non-temporal access instructions Determining the physical addresses aggressor/victim rows /proc/self/pagemap 2MB huge pages (relative)

22 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating Uncached memory access clflush cache eviction non-temporal access instructions Determining the physical addresses aggressor/victim rows /proc/self/pagemap 2MB huge pages (relative) But does it work on ARM?

23 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating Uncached memory access clflush cache eviction non-temporal access instructions Determining the physical addresses aggressor/victim rows /proc/self/pagemap 2MB huge pages (relative) But does it work on ARM? Nope

24 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating Uncached memory access clflush cache eviction non-temporal access instructions Determining the physical addresses aggressor/victim rows /proc/self/pagemap 2MB huge pages (relative) But does it work on ARM? None of them

25 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating Uncached memory access clflush cache eviction non-temporal access instructions Determining the physical addresses aggressor/victim rows /proc/self/pagemap 2MB huge pages (relative) But does it work on ARM? (and we tried)

26 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory

27 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory Physical memory:

28 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory DMA ALLOCATED CHUNK Physical memory:

29 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Physical memory:

30 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory Physical memory: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

31 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory Physical memory: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

32 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory Physical memory: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111110111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

33 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Templating on ARM DMA Direct Memory Access Android’s DMA memory allocator provides everything we need: Uncached memory (no clflush required) Physically contiguous memory Physical memory: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111110111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Bit Flip

34 1.Memory Templating Scan memory for useful bit flips 2.Land sensitive data Store a crucial data structure on a vulnerable page 3.Reproduce the bit flip Modify the data structure and get root acces Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

35 1.Memory Templating Scan memory for useful bit flips 2.Land sensitive data Store a crucial data structure on a vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

36 1.Memory Templating Scan memory for useful bit flips 2.Land a Page Table Store a page table on a vulnerable page But why? Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

37 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses

38 1 0 1 10 1 1 01 0 0 1 0 1 1 10 0 0 10 1 1 11 1 Example lookup for input virtual address 0xb6a5717f Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses

39 1 0 1 10 1 1 01 0 0 1 0 1 1 10 0 0 10 1 1 11 1 Highest 12 bits: level 1 table index (Translation Table Base Register) Example lookup for input virtual address 0xb6a5717f Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables Mapping virtual addresses to physical addresses

40 1 0 1 10 1 1 01 0 0 1 0 1 1 10 0 0 10 1 1 11 1 Highest 12 bits: level 1 table index (Translation Table Base Register) Middle 8 bits: level 2 table index Example lookup for input virtual address 0xb6a5717f Mapping virtual addresses to physical addresses Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables

41 1 0 1 10 1 1 01 0 0 1 0 1 1 10 0 0 10 1 1 11 1 Highest 12 bits: level 1 table index (Translation Table Base Register) Middle 8 bits: level 2 table index Lowest 12 bits: offset in page Example lookup for input virtual address 0xb6a5717f Mapping virtual addresses to physical addresses Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables

42 1 0 1 10 1 1 01 0 0 1 0 1 1 10 0 0 10 1 1 11 1 Highest 12 bits: level 1 table index (Translation Table Base Register) Middle 8 bits: level 2 table index Lowest 12 bits: offset in page TTBR 0x1b17f000 Requested PagePage Table (2 nd level) 1 st level Table 0x462b000 Example lookup for input virtual address 0xb6a5717f Mapping virtual addresses to physical addresses Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Tables

43 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x Entry in the (2 nd level) Page Table Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

44 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x Entry in the (2 nd level) Page Table 12 bits of properties Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

45 Entry in the (2 nd level) Page Table 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 12 bits of properties 20 bits for the page base address Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

46 Entry in the (2 nd level) Page Table 12 bits of properties 20 bits for the page base address 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 0x1b17f000 0x1b17f << 12 mapped page What if we flip a bit in the entry? Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

47 Entry in the (2 nd level) Page Table 12 bits of properties 20 bits for the page base address 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 0x1b17f000 0x1b17f << 12 mapped page 0 0 0 11 0 1 10 0 0 10 1 1 11 1 1 0x x Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

48 Entry in the (2 nd level) Page Table 12 bits of properties 20 bits for the page base address 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 0x1b17f000 0x1b17f << 12 mapped page 0 0 0 11 0 1 10 0 0 10 1 1 11 1 1 0x x 0x1b17e << 12 0x1b17e000 mapped page Rowhammer Attacks on Page Table Entries

49 Entry in the (2 nd level) Page Table 12 bits of properties 20 bits for the page base address 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 0x1b17f000 0x1b17f << 12 mapped page 0 0 0 11 0 1 10 0 0 10 1 1 11 1 1 0x x 0x1b17e << 12 0x1b17e000 mapped page A 1-to-0 flip moves the mapping ‘to the left’ Flip offset 0: –1 page Flip offset 1: –2 pages Flip offset 2: –4 pages Flip offset n: –2 n pages Rowhammer Attacks on Page Table Entries

50 1.Map a page 4 pages ‘away’ from its page table Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Page Table Entries

51 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 1b17f 1.Map a page 4 pages ‘away’ from its page table Page Table Mapped Page Deterministic Attacks on Page Table Entries

52 0x1b17f000 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x 0x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 1b17f Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17f000 1.Map a page 4 pages ‘away’ from its page table Page Table Mapped Page Deterministic Attacks on Page Table Entries

53 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 1b17f 0 0 0 11 0 1 10 0 0 10 1 1 11 1 x x Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17f000 Page Table Mapped Page 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry Deterministic Attacks on Page Table Entries

54 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 1b17b 0 0 0 11 0 1 10 0 0 10 1 1 11 1 0 1x x Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17b000 Mapped Page Table 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry Deterministic Attacks on Page Table Entries

55 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 1b17b 0 0 0 11 0 1 10 0 0 10 1 1 11 1 0 1x x Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17b000 Mapped Page Table 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry 3.Write page table entries Deterministic Attacks on Page Table Entries

56 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 3ac903ac913ac923ac93 3ac943ac953ac961b17b 3ac973ac983ac993ac9a 3ac9b3ac9c3ac9d3ac9e 0 0 0 11 0 1 10 0 0 10 1 1 11 1 0 1x x Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17b000 Mapped Page Table 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry 3.Write page table entries Deterministic Attacks on Page Table Entries

57 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 3ac903ac913ac923ac93 3ac943ac953ac961b17b 3ac973ac983ac993ac9a 3ac9b3ac9c3ac9d3ac9e 0 0 0 11 0 1 10 0 0 10 1 1 11 1 0 1x x Virtual address 0xb6a57000 maps to Page Table Entry: which translates to physical page 0x1b17b000 Mapped Page Table 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry 3.Write page table entries 4.Read/write kernel memory Deterministic Attacks on Page Table Entries

58 0x1b17f0000x1b17d000 0x1b17c000 0x1b17b000 0x1b17e000 3ac903ac913ac923ac93 3ac943ac953ac961b17b 3ac973ac983ac993ac9a 3ac9b3ac9c3ac9d3ac9e Virtual address 0xb6a57000 maps to 0x1b17b000 Virtual address 0xb6a58000 maps to 0x3ac97000 Virtual address 0xb6a59000 maps to 0x3ac98000 Mapped Page Table 1.Map a page 4 pages ‘away’ from its page table 2.Flip bit 2 in the page table entry 3.Write page table entries 4.Read/write kernel memory Deterministic Attacks on Page Table Entries

59 1.Memory Templating Scan memory for useful bit flips 2.Land a Page Table Store a page table on a vulnerable page But how? Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

60 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication)

61 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui

62 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory:

63 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

64 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Exhaust all memory

65 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

66 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Release the vulnerable page

67 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

68 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Landing a Page Table No access to pagemap (virtual – physical address mapping) No fancy memory management features (deduplication) Phys Feng Shui Physical memory: Trigger a Page Table Allocation

69 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Exploit the predictable behavior of the Buddy Allocator 16 * 4KB pages = 64 KB rows Physical Memory

70 Avoid fragmentation by keeping track of same-size memory chunks (buddies) 16 * 4KB pages = 64 KB rows Physical Memory Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

71 1024KB 512KB Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

72 1024KB 512KB X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

73 1024KB 256KB X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

74 1024KB 128KB 256KB X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

75 1024KB 64KB 128KB 256KB X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

76 1024KB X1 64KB 128KB 256KB X1 = __get_free_pages(flags, 6); // get 2 6 = 64KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

77 1024KB X1 64KB 128KB 256KB X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

78 1024KB X1 32KB 128KB 256KB X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

79 1024KB X1 16KB 32KB 128KB 256KB X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

80 1024KB X1 8KB 16KB32KB 128KB 256KB X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

81 1024KB X1 X28KB16KB32KB 128KB 256KB X2 = __get_free_pages(flags, 3); // get 2 3 = 8KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

82 1024KB X1 X28KB16KB32KB 128KB 256KB X3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

83 1024KB X1 X28KB16KBX3 128KB 256KB P3 = __get_free_pages(flags, 5); // get 2 3 = 32KB of memory Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

84 1024KB X1 X28KB16KBX3 128KB 256KB free_pages(X2, 3); // free X2 Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

85 1024KB X1 8KB 16KBX3 128KB 256KB free_pages(X2, 3); // free X2 Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

86 1024KB X1 16KB X3 128KB 256KB free_pages(X2, 3); // free X2 Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

87 1024KB X1 32KBX3 128KB 256KB free_pages(X2, 3); // free X2 Avoid fragmentation by keeping track of same-size memory chunks (buddies) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui – Buddy Allocator

88 1024KB X1 32KBX3 128KB 256KB Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui Deterministic Rowhammer exploitation in 8 steps

89 1024KB X1 32KBX3 128KB 256KB L1, L2, …, Ln = exhaust(L); Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8 Exhaust + Template Large chunks

90 512KB X1 32KBX3 128KB 256KB L1, L2, …, Ln = exhaust(9); // get all 2^9 = 512KB chunks Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

91 L1 L2 X1 32KBX3 128KB 256KB L1, L2, …, Ln = exhaust(L); // get all 2^9 = 512KB chunks Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

92 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L1 L2 X1 32KBX3 128KB 256KB Hammer(L1, 2); // hammer row 2 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

93 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L1, 3); // hammer row 3 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

94 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L1, 4); // hammer row 4 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

95 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L1, 5); // hammer row 5 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

96 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L1, 6); // hammer row 6 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

97 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L1, 7); // hammer row 7 of chunk L1 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

98 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 L2 X1 32KBX3 128KB 256KB Hammer(L2, 2); // hammer row 2 of chunk L2 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

99 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 128KB 256KB Hammer(L2, 3); // hammer row 3 of chunk L2 Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

100 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 128KB 256KB “exploitable flip found in page 5 of virtual row 3 of L2!” Exhaust + Template Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 1/8

101 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 128KB 256KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

102 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 64KB 256KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

103 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 64KB 256KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

104 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 256KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

105 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 128KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

106 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 64KB 128KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

107 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 64KB 128KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

108 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 _M4 128KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

109 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 _M4 64KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

110 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 64KB _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

111 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 _M1, _M2, …, _Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 2/8

112 L1 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Release(L2); // L chunk with vulnerable page Release Large chunk with vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 3/8

113 L1 512KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

114 L1 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

115 L1 128KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

116 L1 64KB 128KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

117 L1 M1 64KB 128KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

118 L1 M1 M2 128KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

119 L1 M1 M2 64KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

120 L1 M1 M2 M3 64KB 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

121 L1 M1 M2 M3 M4 256KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

122 L1 M1 M2 M3 M4 128KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

123 L1 M1 M2 M3 M4 64KB 128KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

124 L1 M1 M2 M3 M4 M5 64KB 128KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

125 L1 M1 M2 M3 M4 M5 M6 128KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

126 L1 M1 M2 M3 M4 M5 M6 64KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

127 L1 M1 M2 M3 M4 M5 M6 M7 64KB X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

128 L1 M1 M2 M3 M4 M5 M6 M7 M8 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 M1, M2, …, Mn = exhaust(6); // get all 2^6 = 64KB chunks Exhaust Medium-sized chunks (again) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 4/8

129 L1 M1 M2 M3 M4 M5 M6 M7 M8 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Release vulnerable Medium-sized chunk + Release all Large chunks Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 5/8

130 L1 M1 M2 64KB M4 M5 M6 M7 M8 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Release vulnerable Medium-sized chunk + Release all Large chunks Release(M3); // releases the vulnerable row Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 5/8

131 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Release vulnerable Medium-sized chunk + Release all Large chunks ReleaseAll(L); // to avoid going out-of-memory later Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 5/8

132 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 32KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

133 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 16KB X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

134 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 8KB 16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

135 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 4KB 8KB16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

136 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S14KB8KB16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

137 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S28KB16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

138 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S24KB 16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

139 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S34KB16KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

140 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S416KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

141 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S48KB X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

142 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S44KB 8KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

143 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S4S54KB8KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

144 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S68KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

145 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S64KB X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

146 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S74KBX3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

147 512KB M1 M2 64KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

148 512KB M1 M2 32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

149 512KB M1 M2 16KB 32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

150 512KB M1 M2 8KB 16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

151 512KB M1 M2 4KB 8KB16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

152 512KB M1 M2 S94KB8KB16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Land a small chunk in the vulnerable 64 KB row Land(S); // allocate 4KB pages until the 64KB is used Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 6/8

153 512KB M1 M2 S94KB8KB16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Pad small chunks until the vulnerable page Pad(P); // insert padding until vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 7/8

154 512KB M1 M2 S9P18KB16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Pad small chunks until the vulnerable page Pad(P); // insert padding until vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 7/8

155 512KB M1 M2 S9P14KB 16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Pad small chunks until the vulnerable page Pad(P); // insert padding until vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 7/8

156 512KB M1 M2 S9P1P24KB16KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Pad small chunks until the vulnerable page Pad(P); // insert padding until vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 7/8

157 512KB M1 M2 S9P1P2P316KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Pad small chunks until the vulnerable page Pad(P); // insert padding until vulnerable page Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 7/8

158 512KB M1 M2 S9P1P2P316KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Force a Page Table allocation + map the vulnerable PTE PT = mmap(MAP_FIXED); // Force a Page Table allocation Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

159 512KB M1 M2 S9P1P2P38KB 32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Force a Page Table allocation + map the vulnerable PTE PT = mmap(MAP_FIXED); // Force a Page Table allocation Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

160 512KB M1 M2 S9P1P2P34KB 8KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Force a Page Table allocation + map the vulnerable PTE PT = mmap(MAP_FIXED); // Force a Page Table allocation Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

161 512KB M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 X1 S1S2S3S4S5S6S7S8X3 _M1 _M2 _M3 _M4 _M5 _M6 Force a Page Table allocation + map the vulnerable PTE PT = mmap(MAP_FIXED); // Force a Page Table allocation Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

162 M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 Force a Page Table allocation + map the vulnerable PTE Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

163 M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 Force a Page Table allocation + map the vulnerable PTE M2 P2P3PT4KB 8KB (first page) M4 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

164 M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 Force a Page Table allocation + map the vulnerable PTE PTE with bit flip M2 P2P3PT4KB 8KB (first page) M4 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

165 M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 Force a Page Table allocation + map the vulnerable PTE PTE with bit flip M2 P2P3PT4KB 8KB (first page) M4 16 * 4KB pages = 64KB rows Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

166 M1 M2 S9P1P2P3PT4KB8KB32KB M4 M5 M6 M7 M8 Force a Page Table allocation + map the vulnerable PTE M2 M4[5] P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows mmap(M4[5], MAP_FIXED); // map vulnerable PTE 64KB ‘away’ Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Phys Feng Shui step 8/8

167 1.Memory Templating Scan memory for useful bit flips 2.Land a Page Table Store a page table on a vulnerable page 3.Reproduce the bit flip Modify the data structure and get root acces Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Overview

168 Perform double-sided rowhammer to flip a bit in the PTE Drammer M2 M4[5] P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows

169 Perform double-sided rowhammer to flip a bit in the PTE Drammer M2 M4[5] P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows

170 Perform double-sided rowhammer to flip a bit in the PTE Drammer M2 M4[5] P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows

171 M2 PT P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows Drammer Write access to a Page Table

172 M2 PT P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows Drammer Write access to a Page Table 1.Fill PT with Page Table Entries to kernel memory

173 M2 PT P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows Drammer Write access to a Page Table 1.Fill PT with Page Table Entries to kernel memory 2.Search kernel memory for our struct cred

174 M2 PT P2P3PT4KB 8KB (first page) M4[3] (3 rd page) M4[4] (4 th page) M4[5] (5 th page) M4[6] (6 th page) M4[7] (7 th page) 16 * 4KB pages = 64KB rows Drammer Write access to a Page Table 1.Fill PT with Page Table Entries to kernel memory 2.Search kernel memory for our struct cred 3.Overwrite our uid and gid to get root privileges

175 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s Bit flips on 18 out of 27 tested devices

176 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s

177 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s

178 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s

179 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s After the 1 st exploitable flip, exploitation takes at most 22 seconds

180 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Evaluation Device#flips1 st exploitable flip after LG Nexus 5 1 1058116s LG Nexus 5 4 0- LG Nexus 5 5 747,0131s LG Nexus 41,3287s OnePlus One3,981942s Motorola Moto G (2013)429441s LG G4 (ARMv8 – 64-bit)117,4965s After the 1 st exploitable flip, exploitation takes at most 22 seconds Drammer test app reported bit flips on: Google Pixel, OnePlus 3, Galaxy Note 7, HTC One M8, …

181 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25

182 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 (91 days before #CCS16)

183 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Can you publish at another conference, later this year?” (91 days before #CCS16)

184 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Can you publish at another conference, later this year?” “What if we support you financially?” (91 days before #CCS16)

185 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Ok, could you then perhaps obfuscate some parts of the paper?” (91 days before #CCS16)

186 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Ok, could you then perhaps obfuscate some parts of the paper?” Rewarded $4000 for a critical issue (91 days before #CCS16)

187 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Ok, could you then perhaps obfuscate some parts of the paper?” Rewarded $4000 for a critical issue (91 days before #CCS16) (because “it doesn’t work on the devices in our Reward Program”)

188 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Ok, could you then perhaps obfuscate some parts of the paper?” Rewarded $4000 for a critical issue (91 days before #CCS16) (because “it doesn’t work on the devices in our Reward Program”) But now it does

189 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Disclosure Contacted Google with a list of suggested mitigations on July 25 “Ok, could you then perhaps obfuscate some parts of the paper?” Rewarded $4000 for a critical issue Partial hardening in November’s updates (91 days before #CCS16) “We will continue to work on a longer term solution”

190 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Conclusion Deterministic Rowhammer exploitation No special memory management features required (e.g., deduplication) ARM memory controllers are fast enough to do Rowhammer LPDDR* found vulnerable No easy software fix

191 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Conclusion Deterministic Rowhammer exploitation No special memory management features required (e.g., deduplication) ARM memory controllers are fast enough to do Rowhammer LPDDR* found vulnerable No easy software fix Using DMA bypasses state-of-the-art defenses (e.g., ANVIL)

192 Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Conclusion Deterministic Rowhammer exploitation No special memory management features required (e.g., deduplication) ARM memory controllers are fast enough to do Rowhammer LPDDR* found vulnerable No easy software fix Using DMA bypasses state-of-the-art defenses (e.g., ANVIL) More details Demos, statistics and test app: https://vusec.net/projects/drammer https://vusec.net/projects/drammer Open source: https://github.com/vusec/drammer https://github.com/vusec/drammer

Download ppt "Drammer: Deterministic Rowhammer Attacks on Mobile Platforms A bunch of pasty faced sad sack nerds sitting in a basement want to sound cool and tough,"

Similar presentations

The Linux Kernel: Memory Management

The Linux Kernel: Memory Management
COMP 3221: Microprocessors and Embedded Systems Lectures 27: Virtual Memory - III Lecturer: Hui Wu Session 2, 2005 Modified.

COMP 3221: Microprocessors and Embedded Systems Lectures 27: Virtual Memory - III Lecturer: Hui Wu Session 2, 2005 Modified.
Kevin Walsh CS 3410, Spring 2010 Computer Science Cornell University Virtual Memory 2 P & H Chapter 5.4-5.

Kevin Walsh CS 3410, Spring 2010 Computer Science Cornell University Virtual Memory 2 P & H Chapter
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
CS 241 Section Week #12 (04/22/10).

CS 241 Section Week #12 (04/22/10).
Lecture 19: Virtual Memory

Lecture 19: Virtual Memory
Operating Systems COMP 4850/CISG 5550 Page Tables TLBs Inverted Page Tables Dr. James Money.

Operating Systems COMP 4850/CISG 5550 Page Tables TLBs Inverted Page Tables Dr. James Money.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.
Chapter 8 – Main Memory (Pgs 315 - 350). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.

Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
CS 149: Operating Systems March 3 Class Meeting Department of Computer Science San Jose State University Spring 2015 Instructor: Ron Mak www.cs.sjsu.edu/~mak.

CS 149: Operating Systems March 3 Class Meeting Department of Computer Science San Jose State University Spring 2015 Instructor: Ron Mak
Virtual Memory. DRAM as cache What about programs larger than DRAM? When we run multiple programs, all must fit in DRAM! Add another larger, slower level.

Virtual Memory. DRAM as cache What about programs larger than DRAM? When we run multiple programs, all must fit in DRAM! Add another larger, slower level.
1 Lecture 16: Virtual Memory Topics: virtual memory, improving TLB performance (Sections 5.10-5.11)

1 Lecture 16: Virtual Memory Topics: virtual memory, improving TLB performance (Sections )
Review °Apply Principle of Locality Recursively °Manage memory to disk? Treat as cache Included protection as bonus, now critical Use Page Table of mappings.

Review °Apply Principle of Locality Recursively °Manage memory to disk? Treat as cache Included protection as bonus, now critical Use Page Table of mappings.
The Game Machine. Introduction Background – The project is to create a new type of 3D game machine architecture on embedded system device. – We will discuss.

The Game Machine. Introduction Background – The project is to create a new type of 3D game machine architecture on embedded system device. – We will discuss.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
CHAPTER 3-3: PAGE MAPPING MEMORY MANAGEMENT. VIRTUAL MEMORY Key Idea Disassociate addresses referenced in a running process from addresses available in.

CHAPTER 3-3: PAGE MAPPING MEMORY MANAGEMENT. VIRTUAL MEMORY Key Idea Disassociate addresses referenced in a running process from addresses available in.
1 Lecture: Virtual Memory, DRAM Main Memory Topics: virtual memory, TLB/cache access, DRAM intro (Sections 2.2)

1 Lecture: Virtual Memory, DRAM Main Memory Topics: virtual memory, TLB/cache access, DRAM intro (Sections 2.2)
OS Memory Addressing. Architecture CPU – Processing units – Caches – Interrupt controllers – MMU Memory Interconnect North bridge South bridge PCI, etc.

OS Memory Addressing. Architecture CPU – Processing units – Caches – Interrupt controllers – MMU Memory Interconnect North bridge South bridge PCI, etc.
Translation Lookaside Buffer

Translation Lookaside Buffer
Drammer: Flip Feng Shui Goes Mobile

Drammer: Flip Feng Shui Goes Mobile

Similar presentations

Ads by Google