Rowhammer Software-exploitable Hardware Flaw

Rowhammer Software-exploitable Hardware Flaw Liang Gong, Electric Engineering & Computer
Science, University of California, Berkeley. An explanatory tutorial assembled by: Liang Gong

2 Liang Gong, Electric Engineering & Computer Science, University of
California, Berkeley. References Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors in ISCA’14. Mark Seaborn and Thomas Dullien: Exploiting the DRAM rowhammer bug to gain kernel privileges, in Black Hat 2015. Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, and Stefan Mangard: ARMageddon: Cache Attacks on Mobile Devices, in USENIX Security’16. Michael Schwarz and Anders Fogh: DRAMA: How Your DRAM Becomes a Security Problem, in Black Hat 2016. Daniel Gruss, Clémentine Maurice, Stefan Mangard: Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript, in DIMVA 2016

California, Berkeley. Motivation for presenting this work • Is JavaScript really memory-safe? • Is there any way to break out of a sandbox? • Full stack security attack – physics, hardware, computer architecture, OS, security, JavaScript

California, Berkeley. Motivation for presenting this work • Is JavaScript really memory-safe? • Is there any way to break out of a sandbox? • Full stack security attack (stack overflow) – physics, hardware, computer architecture, OS, security, JavaScript

California, Berkeley. Rowhammer - Impact • Software-exploitable hardware flaw • Cause bit flips in memory • Can be exploited to: – get root on a machine – escape from a sandbox – break out of a browser

California, Berkeley. Overview • Bit flips: –How to cause them –How to exploit them rowhammer attack

California, Berkeley. The rowhammer DRAM bug • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Hardware bug in many DRAM modules since 2010 • Process can bypass memory protection and affect others • The three big DRAM manufacturer all shipped memory with this problem – A whole generation of machines

California, Berkeley. The rowhammer DRAM bug • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Cannot choose which bit to flip, but can flip a bit fairly consistently

California, Berkeley. DRAM: rows and row buffer • bits are grouped into rows • rows are grouped into banks DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • bits are grouped into rows • rows are grouped into banks Row activation: • Read row n to row buffer DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • bits are grouped into rows • rows are grouped into banks Row activation: • Read row n to row buffer • row n is the “current row” DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • bits are grouped into rows • rows are grouped into banks Row activation: • Read row n to row buffer • row n is the “current row” • Read row 1 to row buffer DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • bits are grouped into rows • rows are grouped into banks Row activation: • Read row n to row buffer • row n is the “current row” • Read row 1 to row buffer • Activate row 1 DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Refresh: works like row activation • Cells are capacitors – they leak charge • So each row must be refreshed every 64 ms DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

DRAM: rows and row buffer • rowhammer: In DRAM, repeatedly
activating rows can cause bit flips in adjacent rows. • Refresh: works like row activation • Cells are capacitors – they leak charge • So each row must be refreshed every 64 ms DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 17 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley.

activating rows can cause bit flips in adjacent rows. • Refresh: works like row activation • Cells are capacitors – they leak charge • So each row must be refreshed every 64 ms DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 18 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. transistor capacitor

California, Berkeley. DRAM: rows and row buffer • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Within refresh period, if row n is repeatedly activated • Row n±1 may get bit flips DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … …

California, Berkeley. DRAM: rows and row buffer • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Within refresh period, if row n is repeatedly activated • Row n±1 may get bit flips DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … transistor capacitor

California, Berkeley. DRAM: rows and row buffer • rowhammer: In DRAM, repeatedly activating rows can cause bit flips in adjacent rows. • Within refresh period, if row n is repeatedly activated • Row n±1 may get bit flips DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … transistor capacitor electromagnetic coupling electricity  magnetic field  electricity

California, Berkeley. Bad Cells • Often consistently flipped when hammered • Randomly distributed • Have preferred directions: 0  1 or 1  0 • “Badness” varies by DRAM module: – % of rows with bad cells: • varies from 30% to 99.9% – # of activations causing failure: • can be as low as 98,000 • Max # allowed by spec:1,300,000

California, Berkeley. Bad Cells • Often consistently flipped when hammered • Randomly distributed • Have preferred directions: 0  1 or 1  0 • “Badness” varies by DRAM module: – % of rows with bad cells: • varies from 30% to 99.9% – # of activations causing failure: • can be as low as 98,000 • Max # allowed by spec:1,300,000 Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors in ISCA’14.

California, Berkeley. Overview • Bit flips: –How to trigger them –How to exploit them rowhammer attack

California, Berkeley. Overview • Bit flips: –How to trigger them –How to exploit them rowhammer attack Main obstacle to perform this attack: CPU Caches

California, Berkeley. Intel Multi-core Architecture DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache

Liang Gong, Electric Engineering & Computer Science, University of California,
Berkeley. Intel Multi-core Architecture DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 31

Berkeley. Intel Multi-core Architecture DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 32 L1 Cache L2 Cache L3 Cache

Berkeley. Intel Multi-core Architecture DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 33 L1 Cache L2 Cache L3 Cache Inclusive cache  only need to invalidate L3 Cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 34 L3 Cache Inclusive cache  only need to invalidate L3 Cache rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 35 L3 Cache Inclusive cache  only need to invalidate L3 Cache • Intel x86: Unprivileged clflush instruction rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 36 L3 Cache Inclusive cache  only need to invalidate L3 Cache • Intel x86: Unprivileged clflush instruction • ARM: Privileged cache maintenance instructions rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 37 L3 Cache Inclusive cache  only need to invalidate L3 Cache • Intel x86: Unprivileged clflush instruction • ARM: Privileged cache maintenance instructions Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, and Stefan Mangard: ARMageddon: Cache Attacks on Mobile Devices, in USENIX Security’16. rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 38 L3 Cache Inclusive cache  only need to invalidate L3 Cache • Intel x86: Unprivileged clflush instruction rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … Core L1 D L1 I L2 Core L1 D L1 I L2 LLC – Last Level Cache 39 L3 Cache Inclusive cache  only need to invalidate L3 Cache • Intel x86: Unprivileged clflush instruction clflush operand operand is a byte memory location • No way to disable it rowhammer attack 1. bypass the cache

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … 40 rowhammer attack 1. bypass the cache 2. activate two different rows • Keep reading row n will not activate it row 2 row n+2 row n+3 …

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 41 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 42 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank Infer from hardware and OS info • Difficult to pick virtual addresses mapping to the same DRAM bank • Virtual addr  physical addr  DRAM location row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 43 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank Infer from hardware and OS info • Difficult to pick virtual addresses mapping to the same DRAM bank • Virtual addr  physical addr  DRAM location Just pick it randomly • 16 banks  1/16 chance to be in the same bank row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 44 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank Infer from hardware and OS info • Difficult to pick virtual addresses mapping to the same DRAM bank • Virtual addr  physical addr  DRAM location Just pick it randomly • 16 banks  1/16 chance to be in the same bank Select addresses using timing • “different row, same bank” should be slower row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 45 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank Infer from hardware and OS info • Difficult to pick virtual addresses mapping to the same DRAM bank • Virtual addr  physical addr  DRAM location Just pick it randomly • 16 banks  1/16 chance to be in the same bank Select addresses using timing • “different row, same bank” should be slower row 2 row n+2 row n+3 row hits row conflicts Michael Schwarz and Anders Fogh: DRAMA: How Your DRAM Becomes a Security Problem, in Black Hat 2016.

Berkeley. 46

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 47 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank • Double-sided hammering row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 48 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank • Double-sided hammering row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 49 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank • Double-sided hammering • If keep activating row n and row n + 2, then row n + 1 will have a better chance to be flipped. row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 50 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank • Double-sided hammering • If keep activating row n and row n + 2, then row n + 1 will have a better chance to be flipped. • Need to experiment with the architecture of the victim machine row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 51 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank • Double-sided hammering • If keep activating row n and row n + 2, then row n + 1 will have a better chance to be flipped. • Need to experiment with the architecture of the victim machine • Extrapolate the distance (e.g.,256K) row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 52 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank code1a: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp code1a row 2 row n+2 row n+3

Berkeley. DRAM bank row buffer row 0 row 1 row n-1 row n row n+1 … … 53 rowhammer attack 1. bypass the cache 2. activate two different rows in the same bank code1a: mov (X), %eax clflush (X) mfence jmp code1a row 2 row n+2 row n+3

Berkeley. 55 Exploitation Example • Break a Sandbox – NaCI sandbox only allows a subset of x86 instr – break the NaCI sandbox to make system calls • Gain Kernel Privileges – gain access to all physical memory from a normal x86-64 process in Linux

Berkeley. 57 NaCI in-process sandbox • Sandbox for running C/C++ - “native code” on the web • Used in the Google Chrome browser • WebAssembly is being defined by teams members from NaCI at Google. How it works: • Load an x86-64 executable • Use a validator to check the safety

Berkeley. 58 NaCI in-process sandbox How it works: • Load an x86-64 executable • Use a validator to check the safety

Berkeley. 59 NaCI in-process sandbox How it works: • Load an x86-64 executable • Use a validator to check the safety Vulnerable: • Once a code is validated, it is considered safe • Idea: hammer the validated code area to cause bit flip – Safe code  unsafe code

Berkeley. 60 NaCI in-process sandbox How it works: • Load an x86-64 executable • Use a validator to check the safety Vulnerable: • Once a code is validated, it is considered safe • Idea: hammer the validated code area to cause bit flip – Safe code  unsafe code • The “safe code” memory area is visible in NaCI !

Berkeley. 61 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence 83 e0 e1 andl $~31, %eax // Truncate address to 32 bits // and mask to be 32-byte-aligned. 4c 01 f8 addq %r15,%rax // Add %r15, the sandbox // base address. ff e0 jmp *%rax // Indirect jump.

Berkeley. 62 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence safe code area in memory (Instr are 32 byte aligned) mov X, %rcx andl $~31, %eax addq %r15,%rax jmp *%rax

Berkeley. 63 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence • Sandbox also ensures that it will not jump out of the box • No syscall instr loaded Goal: execute a syscall. How? safe code area in memory (Instr are 32 byte aligned) mov X, %rcx andl $~31, %eax addq %r15,%rax jmp *%rax

Berkeley. 64 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence • Sandbox also ensures that it will not jump out of the box • No syscall instr loaded Goal: execute a syscall. How? Hammering the code area  flips safe code area in memory (Instr are 32 byte aligned) mov X, %rcx andl $~31, %eax addq %r15,%rax jmp *%rax

Berkeley. 65 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence 83 e0 e1 andl $~31, %eax // Truncate address to 32 bits // and mask to be 32-byte-aligned. 4c 01 f8 addq %r15,%rax // Add %r15, the sandbox // base address. ff e0 jmp *%rax // Indirect jump.

Berkeley. 66 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence 83 e0 e1 andl $~31, %eax // Truncate address to 32 bits // and mask to be 32-byte-aligned. 4c 01 f8 addq %r15,%rax // Add %r15, the sandbox // base address. ff e0 jmp *%rax // Indirect jump. Suppose there is a bit flip: %rax  %rcx

Berkeley. 67 NaCI Security Policy • always jump within the sandbox memory space • NaCI validator checks that all jmp instructions are used in the following sequence • Sandbox also ensures that it will not jump out of the box • No syscall instr loaded Goal: execute a syscall. How? Hammering the code area  flips Jump to the middle of another instr safe code area in memory (Instr are 32 byte aligned) evil instruction mov X, %rcx andl $~31, %eax addq %r15,%rax jmp *%rcx

Berkeley. 68 Break NaCI 20ea0: 48 b8 0f 05 eb 0c f4 f4 f4 f4 movabs $0xf4f4f4f40ceb050f, %rax 20ea2: 0f 05 syscall 20ea4: eb 0c jmp ... // Jump 20ea4: f4 hlt // padding evil instruction mov 20ea2, %rcx andl $~31, %eax addq %r15,%rax jmp *%rcx

Berkeley. 69 Break NaCI 20ea0: 48 b8 0f 05 eb 0c f4 f4 f4 f4 movabs $0xf4f4f4f40ceb050f, %rax 20ea2: 0f 05 syscall 20ea4: eb 0c jmp ... // Jump 20ea4: f4 hlt // padding evil instruction mov 20ea2, %rcx andl $~31, %eax addq %r15,%rax jmp *%rcx NaCI Validated: • jump within the sandbox memory space • all jmp instructions are used in the specific sequence • No syscall instr loaded (explicitly) syscall instr is still called

Berkeley. 72 Hammering Page Table Virtual Addr Space Physical Memory

Berkeley. 73 Hammering Page Table Virtual Addr Space Physical Memory

Berkeley. 74 Hammering Page Table Virtual Addr Space Physical Memory Create lots of mapping to the same memory space • Use the mmap function

Berkeley. 75 Hammering Page Table Virtual Addr Space Physical Memory Create lots of mapping to the same memory space • Use the mmap function Start hammering the memory

Berkeley. 76 Hammering Page Table Virtual Addr Space Physical Memory Create lots of mapping to the same memory space • Use the mmap function Start hammering the memory If lucky…

Berkeley. 77 Hammering Page Table Virtual Addr Space Physical Memory Create lots of mapping to the same memory space • Use the mmap function Start hammering the memory If lucky… Now you can write the page table  you have access to any physical memory

Rowhammer Software-exploitable Hardware Flaw

Rowhammer Software-exploitable Hardware Flaw

More Decks by Liang Gong

Other Decks in Research

Featured

Transcript