Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation

All the state-of-the-art rowhammer attacks can break the MMU-enforced inter-domain isolation based on the fact that the physical memory owned by each domain is adjacent to each other. To mitigate such attacks, CATT as the first generic and practical technique, essentially separates each domain physically. It divides the physical memory into multiple partitions and keeps each partition occupied by only one domain, called the single ownership invariant. Hence, all existing rowhammer attacks are effectively defeated. In this paper, we develop a novel practical exploit, which could effectively defeat CATT and gain both root and kernel privileges, without exhausting page cache and system memory, or relying on any virtual-to-physical mapping information. Specifically, our key observation is that on the modern OSes there exist double-ownership kernel buffers (e.g., video buffers) owned concurrently by the kernel and user domains, invalidating the singleownership invariant enforced by CATT and making the rowhammer-based attack become possible again. In contrast to existing conspicuous rowhammer exploits that exhaust page cache or even the whole system memory, we propose a new attack technique, named memory ambush, which is able to place the hammerable kernel buffers physically adjacent to the target objects (e.g., page tables) with only a small amount of memory, making our exploit stealthier and fewer memory fingerprints. We also replace the inefficient rowhammer algorithm that blindly picks up addresses for hammering with an efficient one, which probes suitable addresses using a side channel. We implement our exploit on the Linux kernel 4.10.0-generic. Our experiment results indicate that our exploit is able to gain the root and kernel privileges within roughly 1 to 36 minutes. The occupied memory could be reduced to 128MB.

[1]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[2]  Yuval Yarom,et al.  Another Flip in the Wall of Rowhammer Defenses , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[3]  Rui Qiao,et al.  A new approach for rowhammer attacks , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[4]  Yuan Xiao,et al.  One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation , 2016, USENIX Security Symposium.

[5]  Debdeep Mukhopadhyay,et al.  Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing Analysis , 2016, CHES.

[6]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[7]  Reetuparna Das,et al.  ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks , 2016, ASPLOS.

[8]  David Gens,et al.  RIP-RH: Preventing Rowhammer-based Inter-Process Attacks , 2019, AsiaCCS.

[9]  Daniel Gruss,et al.  Nethammer: Inducing Rowhammer Faults through Network Requests , 2018, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[10]  Herbert Bos,et al.  Throwhammer: Rowhammer Attacks over the Network and Defenses , 2018, USENIX ATC.

[11]  Mel Gorman,et al.  Understanding the Linux Virtual Memory Manager , 2004 .

[12]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[13]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[14]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[15]  Ahmad-Reza Sadeghi,et al.  CAn't Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory , 2017, USENIX Security Symposium.

[16]  Ahmad-Reza Sadeghi,et al.  CAn't Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks , 2016, ArXiv.

[17]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[18]  Gorka Irazoqui Apecechea,et al.  MASCAT: Stopping Microarchitectural Attacks Before Execution , 2016, IACR Cryptol. ePrint Arch..

[19]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[21]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[22]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[23]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[24]  Christopher Krügel,et al.  GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM , 2018, DIMVA.

[25]  Herbert Bos,et al.  Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[26]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.