DescriptionRowhammer is a severe security problem in DRAM, allowing an unprivileged adversary to gain kernel privileges by inducing electrical disturbance errors. Today, mitigations against Rowhammer, most notably Targeted Row Refresh (TRR), are widely adopted and even part of recent DRAM standards.
In this talk, we first show that TRR is insufficient by design and counterintuitively assists an attacker in the context of our new Rowhammer type: Half-Double. Unlike all previous Rowhammer attacks, Half-Double hammers from a distance of two. Here, the mitigative refreshes performed by TRR amplify the hammering, breaking the spatial assumptions of state-of-the-art mitigations. We demonstrate the impact of Half-Double in an end-to-end exploit that allows an unprivileged adversary to escalate to root privileges on an off-the-shelf Chrome OS device protected by TRR and ECC. We detail the different phases of the exploit, including our novel techniques combining knowledge of the operating system internals, speculative execution, timing side channels, and blind hammering.
After a decade-long Rowhammer-related cat-and-mouse game between defenses and attacks, we propose a fundamental change, rethinking how to protect memory in a principled way. Therefore, in the second part of the talk, we present a novel approach to DRAM integrity: CSI:Rowhammer. Unlike all previous Rowhammer defenses CSI:Rowhammer makes no general assumption about the Rowhammer effect, including its temporal and spatial properties. CSI:Rowhammer combines a cryptographic MAC to ensure data integrity with hardware and software correction routines. This hardware-software co-design detects any memory corruption with cryptographical guarantees. Furthermore, with operating system and hypervisor integration, we achieve groundbreaking correction capabilities and unprecedented error handling flexibility, e.g., allowing the system to transparently correct memory errors up to the extreme case, where an unbounded amount of bitflips can be restored.
|Period||7 Dec 2022|
|Event title||Black Hat Europe 2022|
|Location||London, United KingdomShow on map|
|Degree of Recognition||International|