research-article

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Authors:

Victor van der Veen,

Yanick Fratantonio,

Martina Lindorfer,

Clementine Maurice,

Giovanni Vigna,

Cristiano GiuffridaAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1675 - 1689

https://doi.org/10.1145/2976749.2978406

Published: 24 October 2016 Publication History

Abstract

Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, DRAMMER, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement DRAMMER on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks.

To support our claims, we present the first Rowhammer-based Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our DRAMMER attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

References

[1]

Low RAM Con guration. https://source.android.com/devices/tech/con g/low-ram.html.

[2]

Transparent Hugepage Support. https://www.kernel.org/doc/Documentation/vm/transhuge.txt.

[3]

L. Abbott. Lessons from Ion. Embedded Linux Conference (ELC), April 2016.

[4]

B. Aichinger. DDR Memory Errors caused by Row Hammer. In Proceedings of the 19th IEEE High Performance Extreme Computing Conference (HPEC), 2015.

[5]

Apple Inc. Mac EFI Security Update 2015-001. https://support.apple.com/en-us/HT204934, June 2015.

[6]

A. Arcangeli. Transparent Hugepage Support. http://www.linux-kvm.org/images/9/9e/2010-forum-thp.pdf, August 2010.

[7]

ARM Limited. ARM Architecture Reference Manual. ARMv7-A and ARMv7-R edition, 2012.

[8]

ARM Limited. ARM Architecture Reference Manual. ARMv8, for ARMv8-A architecture profile, 2013.

[9]

Z. B. Aweke, S. F. Yitbarek, R. Qiao, R. Das, M. Hicks, Y. Oren, and T. Austin. ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks. In Proceedings of the 21st ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2016.

Digital Library

[10]

I. Bhati, M.-T. Chang, Z. Chishti, S.-L. Lu, and B. Jacob. DRAM Refresh Mechanisms, Penalties, and Trade-Offs. IEEE Transactions on Computers, 65(1), 2016.

Digital Library

[11]

E. Bosman, K. Razavi, H. Bos, and C. Giu rida. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P), 2016.

[12]

L. Campbell. Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332. http://googleprojectzero.blogspot.com/2015/01/exploiting-nvmap-to-escape-chrome.html, January 2015.

[13]

H. Flake. Three Things that Rowhammer Taught Me. Null Singapore, March 2016.

[14]

M. Ghasempour, M. Lujan, and J. Garside. ARMOR: A Run-Time Memory Hot-Row Detector. http://apt.cs.manchester.ac.uk/projects/ARMOR/RowHammer, 2015.

[15]

M. Gorman. Understanding the Linux Virtual Memory Manager. Prentice Hall PTR, 2007.

Digital Library

[16]

D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In Proceedings of the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.

Digital Library

[17]

N. Herath and A. Fogh. These are Not Your Grand Daddy's CPU Performance Counters - CPU Hardware Performance Counters for Security. In Black Hat USA (BH-US), 2015.

[18]

Hewlett Packard. Moonshot Component Pack Version 2015.05.0 Release Notes. http://h10032.www1.hp.com/ctg/Manual/c04676483, May 2015.

[19]

JEDEC Solid State Technology Association. DDR3 SDRAM Speci cation. JESD79-3F, 2012.

[20]

JEDEC Solid State Technology Association. Low Power Double Data 4 (LPDDR4). JESD209-4A, 2015.

[21]

Je Vander Stoep. Protecting Android with more Linux kernel defenses. http://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html, July 2016.

[22]

V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking Kernel Isolation. In Proceedings of the 23rd USENIX Security Symposium, 2014.

Digital Library

[23]

Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. In Proceedings of the 41st International Symposium on Computer Architecture (ISCA), 2014.

Digital Library

[24]

C. Lameter. Light weight event counters V4. https://lwn.net/Articles/188327, June 2006.

[25]

M. Lanteigne. A Tale of Two Hammers: A Brief Rowhammer Analysis of AMD vs. Intel. http://www.thirdio.com/rowhammera1.pdf, May 2016.

[26]

M. Lanteigne. How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware. http://www.thirdio.com/rowhammer.pdf, March 2016.

[27]

Lenovo. Row Hammer Privilege Escalation. https://support.lenovo.com/us/en/productsecurity/rowhammer, March 2015.

[28]

M. Lipp, D. Gruss, R. Spreitzer, and S. Mangard. ARMageddon: Cache Attacks on Mobile Devices. In Proceedings of the 25th USENIX Security Symposium, 2016.

[29]

S. Liu, K. Pattabiraman, T. Moscibroda, and B. Zorn. Flikker: Saving DRAM Refresh-power through Critical Data Partitioning. In Proceedings of the 16th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2011.

Digital Library

[30]

P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In Proceedings of the 25th USENIX Security Symposium, 2016.

[31]

R. Qiao and M. Seaborn. A New Approach for Rowhammer Attacks. In Proceedings of the 9th IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2016.

[32]

K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giufirida, and H. Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. In Proceedings of the 25th USENIX Security Symposium, 2016.

[33]

Red Hat. How to use, monitor, and disable transparent hugepages in Red Hat Enterprise Linux 6? https://access.redhat.com/solutions/46111, September 2015.

[34]

M. Salyzyn. AOSP Commit 0549ddb9: "UPSTREAM: pagemap: do not leak physical addresses to non-privileged userspace". http://goo.gl/Qye2MN, November 2015.

[35]

M. Seaborn and T. Dullien. Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges. In Black Hat USA (BH-US), 2015.

[36]

M. Seaborn and T. Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html, March 2015.

[37]

S. Semwal. DMA Buffer Sharing API Guide. https://www.kernel.org/doc/Documentation/dma-buf-sharing.txt.

[38]

S. Semwal. dma-buf Constraints-Enabled Allocation helpers. https://lwn.net/Articles/615892/, October 2014.

[39]

S. Semwal. Upstreaming ION Features: Issues that remain. Linux Plumbers Conference, August 2015.

[40]

K. A. Shutemov. Linux commit ab676b7d: "pagemap: do not leak physical addresses to non-privileged userspace". http://goo.gl/Zvd0qf, March 2015.

[41]

K. A. Shutemov. THP-enabled tmpfs/shmem using compound pages. http://lwn.net/Articles/687352, May 2016.

[42]

J. Stultz. Integrating the ION memory allocator. https://lwn.net/Articles/565469/, September 2013.

[43]

J. Stultz. Summary of the Android Graphics microconference. https://lwn.net/Articles/569704/, October 2013.

[44]

Unity. Mobile (Android) Hardware Stats. http://hwstats.unity3d.com/mobile/cpu-android.html, June 2016.

[45]

R. K. Venkatesan, S. Herr, and E. Rotenberg. Retention-aware placement in DRAM (RAPID): Software methods for quasi-non-volatile DRAM. In Proceedings of the 12th International Symposium on High-Performance Computer Architecture (HPCA), 2006.

[46]

VMware. Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing. https://kb.vmware.com/kb/2080735, October 2014.

[47]

Y. Xiao, X. Zhang, Y. Zhang, and M.-R. Teodorescu. One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation. In Proceedings of the 25th USENIX Security Symposium, 2016.

[48]

W. Xu and Y. Fu. Own Your Android! Yet Another Universal Root. In Proceedings of the 9th USENIX Workshop on O ensive Technologies (WOOT), 2015.

Digital Library

[49]

W. Xu, J. Li, J. Shu, W. Yang, T. Xie, Y. Zhang, and D. Gu. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), 2015.

Digital Library

[50]

T. M. Zeng. The Android ION memory allocator. https://lwn.net/Articles/480055, February 2012.

[51]

H. Zhang, D. She, and Z. Qian. Android ION Hazard: the Curse of Customizable Memory Management System. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS), 2016.

Digital Library

Cited By

Adiletta ATol MDoröz YSunar BQuek TGao DZhou JCardenas A(2024)Mayhem: Targeted Corruption of Register and Stack VariablesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637638(467-482)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637638
Saxena AMathur SQureshi MTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Rubix: Reducing the Overhead of Secure Rowhammer Mitigations via Randomized Line-to-Row MappingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640404(1014-1028)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640404
Jin LJiang WZhan JWen X(2024)Highly Evasive Targeted Bit-Trojan on Deep Neural NetworksIEEE Transactions on Computers10.1109/TC.2024.341670573:9(2350-2363)Online publication date: Sep-2024
https://doi.org/10.1109/TC.2024.3416705
Show More Cited By

Index Terms

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

177
Total Citations
View Citations
2,080
Total Downloads

Downloads (Last 12 months)277
Downloads (Last 6 weeks)18

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Adiletta ATol MDoröz YSunar BQuek TGao DZhou JCardenas A(2024)Mayhem: Targeted Corruption of Register and Stack VariablesProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637638(467-482)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637638
Saxena AMathur SQureshi MTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Rubix: Reducing the Overhead of Secure Rowhammer Mitigations via Randomized Line-to-Row MappingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640404(1014-1028)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640404
Jin LJiang WZhan JWen X(2024)Highly Evasive Targeted Bit-Trojan on Deep Neural NetworksIEEE Transactions on Computers10.1109/TC.2024.341670573:9(2350-2363)Online publication date: Sep-2024
https://doi.org/10.1109/TC.2024.3416705
Jaleel ASaileshwar GKeckler SQureshi M(2024)PrIDE: Achieving Secure Rowhammer Mitigation with Low-Cost In-DRAM Trackers2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00087(1157-1172)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00087
Nam HBaek SWi MKim MPark JSong CKim NAhn J(2024)DRAMScope: Uncovering DRAM Microarchitecture and Characteristics by Issuing Memory Commands2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00083(1097-1111)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00083
Saxena AQureshi M(2024)START: Scalable Tracking for any Rowhammer Threshold2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00049(578-592)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00049
Yağlıkçı ATuğrul YOliveira GYüksel İOlgun ALuo HMutlu O(2024)Spatial Variation-Aware Read Disturbance Defenses: Experimental Analysis of Real DRAM Chips and Implications on Future Solutions2024 IEEE International Symposium on High-Performance Computer Architecture (HPCA)10.1109/HPCA57654.2024.00048(560-577)Online publication date: 2-Mar-2024
https://doi.org/10.1109/HPCA57654.2024.00048
Orosa LRührmair UGiray Yağlikçi ALuo HOlgun AJattke PPatel MKim JRazavi KMutlu O(2024)SpyHammer: Understanding and Exploiting RowHammer Under Fine-Grained Temperature VariationsIEEE Access10.1109/ACCESS.2024.340938912(80986-81003)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3409389
Juffinger JNeela SHeckel MSchwarz LAdamsky FGruss D(2024)Presshammer: Rowhammer and Rowpress Without Physical Address InformationDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_24(460-479)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_24
Gerlach LThomas FPietsch RSchwarz M(2024)A Rowhammer Reproduction Study Using the Blacksmith FuzzerComputer Security – ESORICS 202310.1007/978-3-031-51479-1_4(62-79)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_4
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents