Throwhammer: Rowhammer Attacks over the Network and Defenses

Increasingly sophisticated Rowhammer exploits allow an attacker that can execute code on a vulnerable system to escalate privileges and compromise browsers, clouds, and mobile systems. In all these attacks, the common assumption is that attackers first need to obtain code execution on the victim machine to be able to exploit Rowhammer either by having (unprivileged) code execution on the victim machine or by luring the victim to a website that employs a malicious JavaScript application. In this paper, we revisit this assumption and show that an attacker can trigger and exploit Rowhammer bit flips directly from a remote machine by only sending network packets. This is made possible by increasingly fast, RDMA-enabled networks, which are in wide use in clouds and data centers. To demonstrate the new threat, we show how a malicious client can exploit Rowhammer bit flips to gain code execution on a remote key-value server application. To counter this threat, we propose protecting unmodified applications with a new buffer allocator that is capable of fine-grained memory isolation in the DRAM address space. Using two real-world applications, we show that this defense is practical, self-contained, and can efficiently stop remote Rowhammer attacks by surgically isolating memory buffers that are exposed to untrusted network input.

[1]  Reetuparna Das,et al.  ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks , 2016, ASPLOS.

[2]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[3]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[4]  Amin Vahdat,et al.  TIMELY: RTT-based Congestion Control for the Datacenter , 2015, Comput. Commun. Rev..

[5]  Nikolas Ioannou,et al.  From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks , 2017, WOOT.

[6]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[7]  Debdeep Mukhopadhyay,et al.  Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing Analysis , 2016, CHES.

[8]  Christoforos E. Kozyrakis,et al.  IX: A Protected Dataplane Operating System for High Throughput and Low Latency , 2014, OSDI.

[9]  Eunyoung Jeong,et al.  mTCP: a Highly Scalable User-level TCP Stack for Multicore Systems , 2014, NSDI.

[10]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[11]  Yuval Yarom,et al.  Another Flip in the Wall of Rowhammer Defenses , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[12]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[13]  ZhuYibo,et al.  Congestion Control for Large-Scale RDMA Deployments , 2015 .

[14]  M. Lanteigne A Tale of Two Hammers A Brief Rowhammer , 2016 .

[15]  Timothy Roscoe,et al.  Arrakis , 2014, OSDI.