隐式锤子：通过隐式访问跨越特权边界的Rowhammer

IF 7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Dependable and Secure Computing Pub Date : 2023-09-01 DOI:10.1109/TDSC.2022.3214666

Zhi-Li Zhang, Wei He, Yueqiang Cheng, Wenhao Wang, Yansong Gao, Dongxi Liu, Kang Li, Surya Nepal, Anmin Fu, Yuexian Zou

{"title":"隐式锤子：通过隐式访问跨越特权边界的Rowhammer","authors":"Zhi-Li Zhang, Wei He, Yueqiang Cheng, Wenhao Wang, Yansong Gao, Dongxi Liu, Kang Li, Surya Nepal, Anmin Fu, Yuexian Zou","doi":"10.1109/TDSC.2022.3214666","DOIUrl":null,"url":null,"abstract":"Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to hammer rows can induce bit flips in neighboring victim rows. Rowhammer attacks have enabled privilege escalation, sandbox escape, cryptographic key disclosures, etc. A key requirement of all existing rowhammer attacks is that an attacker must have access to at least part of an exploitable hammer row. We term such rowhammer attacks as Explicit Hammer. Recently, several proposals leverage the spatial proximity between the accessed hammer rows and the location of the victim rows for a defense against rowhammer. These all aim to deny the attacker's permission to access hammer rows near sensitive data, thus defeating explicit hammer-based attacks. In this paper, we question the core assumption underlying these defenses. We present Implicit Hammer, a confused-deputy attack that causes accesses to hammer rows that the attacker is not allowed to access. It is a paradigm shift in rowhammer attacks since it crosses privilege boundary to stealthily rowhammer an inaccessible row by implicit DRAM accesses. Such accesses are achieved by abusing inherent features of modern hardware and/or software. We propose a generic model to rigorously formalize the necessary conditions to initiate implicit hammer and explicit hammer, respectively. Compared to explicit hammer, implicit hammer can defeat the advanced software-only defenses, stealthy in hiding itself and hard to be mitigated. To demonstrate the practicality of implicit hammer, we have created two implicit hammer's instances, called PThammer and SyscallHammer.","PeriodicalId":13047,"journal":{"name":"IEEE Transactions on Dependable and Secure Computing","volume":"20 1","pages":"3716-3733"},"PeriodicalIF":7.0000,"publicationDate":"2023-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Implicit Hammer: Cross-Privilege-Boundary Rowhammer Through Implicit Accesses\",\"authors\":\"Zhi-Li Zhang, Wei He, Yueqiang Cheng, Wenhao Wang, Yansong Gao, Dongxi Liu, Kang Li, Surya Nepal, Anmin Fu, Yuexian Zou\",\"doi\":\"10.1109/TDSC.2022.3214666\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to hammer rows can induce bit flips in neighboring victim rows. Rowhammer attacks have enabled privilege escalation, sandbox escape, cryptographic key disclosures, etc. A key requirement of all existing rowhammer attacks is that an attacker must have access to at least part of an exploitable hammer row. We term such rowhammer attacks as Explicit Hammer. Recently, several proposals leverage the spatial proximity between the accessed hammer rows and the location of the victim rows for a defense against rowhammer. These all aim to deny the attacker's permission to access hammer rows near sensitive data, thus defeating explicit hammer-based attacks. In this paper, we question the core assumption underlying these defenses. We present Implicit Hammer, a confused-deputy attack that causes accesses to hammer rows that the attacker is not allowed to access. It is a paradigm shift in rowhammer attacks since it crosses privilege boundary to stealthily rowhammer an inaccessible row by implicit DRAM accesses. Such accesses are achieved by abusing inherent features of modern hardware and/or software. We propose a generic model to rigorously formalize the necessary conditions to initiate implicit hammer and explicit hammer, respectively. Compared to explicit hammer, implicit hammer can defeat the advanced software-only defenses, stealthy in hiding itself and hard to be mitigated. To demonstrate the practicality of implicit hammer, we have created two implicit hammer's instances, called PThammer and SyscallHammer.\",\"PeriodicalId\":13047,\"journal\":{\"name\":\"IEEE Transactions on Dependable and Secure Computing\",\"volume\":\"20 1\",\"pages\":\"3716-3733\"},\"PeriodicalIF\":7.0000,\"publicationDate\":\"2023-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Dependable and Secure Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1109/TDSC.2022.3214666\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Dependable and Secure Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/TDSC.2022.3214666","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 7

摘要

Rowhammer是DRAM内存中的一个硬件漏洞，重复访问hammer行会导致相邻受害者行中的位翻转。Rowhammer攻击启用了权限提升、沙箱转义、加密密钥披露等。所有现有Rowhammer袭击的一个关键要求是，攻击者必须至少能够访问可利用的hammer行的一部分。我们将这种赛艇锤攻击称为显性锤。最近，一些提案利用进入的锤子排和受害者排的位置之间的空间接近性来防御赛艇锤。这些都旨在拒绝攻击者访问敏感数据附近的hammer行的权限，从而击败基于显式hammer的攻击。在本文中，我们对这些防御的核心假设提出了质疑。我们提出了隐式Hammer，这是一种混乱的副攻击，它会导致攻击者访问不允许访问的Hammer行。这是rowhammer攻击的一个范式转变，因为它跨越特权边界，通过隐式DRAM访问悄悄地rowhammer一个不可访问的行。这种访问是通过滥用现代硬件和/或软件的固有特征来实现的。我们提出了一个通用模型来严格形式化分别启动隐式锤和显式锤的必要条件。与显式锤子相比，隐式锤子可以击败先进的纯软件防御，隐蔽性强，难以缓解。为了证明隐锤的实用性，我们创建了两个隐锤实例，分别称为PThammer和SyscallHammer。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Implicit Hammer: Cross-Privilege-Boundary Rowhammer Through Implicit Accesses

Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to hammer rows can induce bit flips in neighboring victim rows. Rowhammer attacks have enabled privilege escalation, sandbox escape, cryptographic key disclosures, etc. A key requirement of all existing rowhammer attacks is that an attacker must have access to at least part of an exploitable hammer row. We term such rowhammer attacks as Explicit Hammer. Recently, several proposals leverage the spatial proximity between the accessed hammer rows and the location of the victim rows for a defense against rowhammer. These all aim to deny the attacker's permission to access hammer rows near sensitive data, thus defeating explicit hammer-based attacks. In this paper, we question the core assumption underlying these defenses. We present Implicit Hammer, a confused-deputy attack that causes accesses to hammer rows that the attacker is not allowed to access. It is a paradigm shift in rowhammer attacks since it crosses privilege boundary to stealthily rowhammer an inaccessible row by implicit DRAM accesses. Such accesses are achieved by abusing inherent features of modern hardware and/or software. We propose a generic model to rigorously formalize the necessary conditions to initiate implicit hammer and explicit hammer, respectively. Compared to explicit hammer, implicit hammer can defeat the advanced software-only defenses, stealthy in hiding itself and hard to be mitigated. To demonstrate the practicality of implicit hammer, we have created two implicit hammer's instances, called PThammer and SyscallHammer.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Dependable and Secure Computing 工程技术-计算机：软件工程

CiteScore

11.20

自引率

5.50%

发文量

354

审稿时长

9 months

期刊介绍： The "IEEE Transactions on Dependable and Secure Computing (TDSC)" is a prestigious journal that publishes high-quality, peer-reviewed research in the field of computer science, specifically targeting the development of dependable and secure computing systems and networks. This journal is dedicated to exploring the fundamental principles, methodologies, and mechanisms that enable the design, modeling, and evaluation of systems that meet the required levels of reliability, security, and performance. The scope of TDSC includes research on measurement, modeling, and simulation techniques that contribute to the understanding and improvement of system performance under various constraints. It also covers the foundations necessary for the joint evaluation, verification, and design of systems that balance performance, security, and dependability. By publishing archival research results, TDSC aims to provide a valuable resource for researchers, engineers, and practitioners working in the areas of cybersecurity, fault tolerance, and system reliability. The journal's focus on cutting-edge research ensures that it remains at the forefront of advancements in the field, promoting the development of technologies that are critical for the functioning of modern, complex systems.