Explore the DRAM Rowhammer bug and its security implications in this Black Hat conference talk. Delve into the physics-level hardware problem that can be exploited to gain kernel privileges. Learn about the "Rowhammer" issue in DRAM, where repeated memory access can cause bit flips in adjacent rows. Discover how this reliability concern has been transformed into a practical security vulnerability. Examine two exploits that leverage bit flips, including an in-browser attack through NaCl and a method to escalate to kernel privileges. Understand the technical details of row hammering, including cache bypassing and double-sided hammering techniques. Explore mitigation strategies such as ECC memory, Target Row Refresh, and increased refresh rates. Gain insights into the broader implications of hardware-level vulnerabilities for system security.
Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges
Overview
Syllabus
Bit flips!
The rowhammer DRAM bug
Overview of talk
About the speakers
Exploiting random bit flips
Types of memory error
DRAM row buffer
DRAM refresh
"Hammering" can cause bit flips
Bad cells
Step 1: Bypass the cache
Double-sided hammering
Flippy the Laptop
Intro to Native Client (NaCl)
Escaping an in-process sandbox
Bit flips make safe code unsafe
Using physical memory access
Page reuse
Mitigations
Mitigation: ECC memory
"Ideal" fix: Target Row Refresh, TRR
Mitigation: 2x refresh rate
Conclusions
For more information
Taught by
Black Hat
