Memway: In-Memory Waylaying Acceleration for Practical Rowhammer Attacks Against Binaries

Lai Xu; Rongwei Yu; Lina Wang; Weijie Liu

doi:10.26599/TST.2018.9010134

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Journals A - Z

About Us

Publish with Us

Support

PDF (3.5 MB)

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

AI Chat Paper

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Open Access

Memway: In-Memory Waylaying Acceleration for Practical Rowhammer Attacks Against Binaries

Lai Xu, Rongwei Yu(

), Lina Wang, Weijie Liu

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China.

Show Author Information

Abstract

The Rowhammer bug is a novel micro-architectural security threat, enabling powerful privilege-escalation attacks on various mainstream platforms. It works by actively flipping bits in Dynamic Random Access Memory (DRAM) cells with unprivileged instructions. In order to set up Rowhammer against binaries in the Linux page cache, the Waylaying algorithm has previously been proposed. The Waylaying method stealthily relocates binaries onto exploitable physical addresses without exhausting system memory. However, the proof-of-concept Waylaying algorithm can be easily detected during page cache eviction because of its high disk I/O overhead and long running time. This paper proposes the more advanced Memway algorithm, which improves on Waylaying in terms of both I/O overhead and speed. Running time and disk I/O overhead are reduced by 90% by utilizing Linux tmpfs and in-memory swapping to manage eviction files. Furthermore, by combining Memway with the unprivileged posix_fadvise API, the binary relocation step is made 100 times faster. Equipped with our Memway+fadvise relocation scheme, we demonstrate practical Rowhammer attacks that take only 15-200 minutes to covertly relocate a victim binary, and less than 3 seconds to flip the target instruction bit.

Keywords

Rowhammer bug Waylaying algorithm in-memory swapping page cache eviction

References

[1]

Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors, in Proc. 41st Int. Symp. Computer Architecture, Minneapolis, MN, USA, 2014, pp. 361-372.

Crossref

[2]

Row hammer, https://en.wikipedia.org/wiki/Rowhammer, 2018.

[3]

M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, Meltdown: Reading kernel memory from user space, in Proc. USENIX Security Symp., Baltimore, MD, USA, 2018, pp. 973-990.

[4]

P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, et al., Spectre attacks: Exploiting speculative execution, https://spectreattack.com/spectre.pdf, 2018.

[5]

Z. Y. Wu, Z. Xu, and H. N. Wang, Whispers in the hyper-space: High-bandwidth and reliable covert channel attacks inside the cloud, IEEE/ACM Trans. Network., vol. 23, no. 2, pp. 603-615, 2015.

Crossref Google Scholar

[6]

M. Seaborn and T. Dullien, Exploiting the DRAM rowhammer bug to gain kernel privileges, https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html, 2015.

[7]

Y. Xiao, X. K. Zhang, Y. Q. Zhang, and R. Teodorescu, One bit flips, one cloud flops: Cross-VM row hammer attacks and privilege escalation, in Proc. 25th USENIX Security Symp., Austin, TX, USA, 2016, pp. 19-35.

[8]

K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos, Flip Feng Shui: Hammering a needle in the software stack, in Proc. 25th USENIX Security Symp., Austin, TX, USA, 2016, pp. 1-18.

[9]

D. Gruss, C. Maurice, and S. Mangard, Rowhammer.js: A remote software-induced fault attack in JavaScript, https://link.springer.com/chapter/10.1007/978-3-319-40667-1_15, 2016.

[10]

Y. Cheng, Z. Zhang, S. Nepal, Still hammerable and exploitable: On the effectiveness of software-only physical kernel isolation, arXiv preprint arXiv: 1802.07060, 2018.

Google Scholar

[11]

D. Gruss, M. Lipp, M. Schwarz, D. Genkin, J. Juffinger, S. O’Connell, and W. Schoechl, Another Flip in the wall of rowhammer defenses, in Proc. 2018 IEEE Symp. Security and Privacy, San Francisco, CA, USA, 2018, pp. 245-261.

Crossref

[12]

X. H. Han, S. Wei, J. Y. Ye, Z. Chao, and Z. Y. Ye, Detect use-after-free vulnerabilities in binaries, (in Chinese), J. Tsinghua Univ. (Sci. Technol.), vol. 57, no. 10, pp. 1022-1029, 2017.

Google Scholar

[13]

B. J. Cui, F. W. Wang, T. Guo, and B. J. Liu, Research of taint-analysis based API in-memory fuzzing tests, (in Chinese), J. Tsinghua Univ. (Sci. Technol.), vol. 56, no. 1, pp. 7-13, 2016.

Google Scholar

[14]

A. Amaya, H. Gomez, and E. Roa, Mitigating row hammer attacks based on dummy cells in DRAM, in Proc. 2017 IEEE Int. Conf. Consumer Electronics, Las Vegas, NV, USA, 2017, pp. 442-443.

Crossref

[15]

G. Irazoqui, T. Eisenbarth, and B. Sunar, MASCAT: Preventing microarchitectural attacks before distribution, in Proc. 8th ACM Conf. Data and Application Security and Privacy, New York, NY, USA, 2018, pp. 377-388.

Crossref

[16]

J. Corbet, Defending against Rowhammer in the kernel, https://lwn.net/Articles/704920/, 2016.

[17]

Z. B. Aweke, S. F. Yitbarek, R. Qiao, R. Das, M. Hicks, Y. Oren, and T. Austin, ANVIL: Software-based protection against next-generation rowhammer attacks, in Proc. Twenty-First Int. Conf. Architectural Support for Programming Languages and Operating Systems, Atlanta, GA, USA, 2016, pp. 743-755.

Crossref

[18]

V. Van Der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida, Drammer: Deterministic rowhammer attacks on mobile platforms, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, New York, NY, USA, 2016, pp. 1675-1689.

[19]

F. Brasser, L. Davi, D. Gens, C. Liebchen, and A. R. Sadeghi , Can’t touch this: Practical and generic software-only defenses against rowhammer attacks, arXiv preprint arXiv: 1611.08396, 2017.

Google Scholar

[20]

Page Cache, https://en.wikipedia.org/wiki/Pagecache, 2018.

[21]

Tmpfs, https://en.wikipedia.org/wiki/Tmpfs, 2018.

[22]

P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard, DRAMA: Exploiting DRAM addressing for cross-CPU attacks, in Proc. USENIX Security Symp., Austin, TX, USA, 2016, pp. 565-581.

Tsinghua Science and Technology

Volume 24 Issue 5,
October 2019

Pages 535-545

DOI: 10.26599/TST.2018.9010134

Cite this article:

Xu L, Yu R, Wang L, et al. Memway: In-Memory Waylaying Acceleration for Practical Rowhammer Attacks Against Binaries. Tsinghua Science and Technology, 2019, 24(5): 535-545. https://doi.org/10.26599/TST.2018.9010134

684

Views

Downloads

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 10 October 2018

Accepted: 10 November 2018

Published: 29 April 2019