Explore the technical journey behind Drammer, the first Android root exploit leveraging the Rowhammer hardware vulnerability, in this 57-minute conference talk from Hack In The Box Security Conference. Delve into the challenges faced during development, including attempts to flip bits on Android/ARM devices and the near-miss of writing a negative results paper. Learn about the Flip Feng Shui exploitation technique and its application in mobile environments. Gain insights into the research process, from initial experiments to the final implementation, covering topics such as CPU cache bypassing, DRAM benchmarking, and memory templating. Understand the scientific value of Drammer and its wider impact on mobile device security. Follow the presenter's path from Santa Barbara to the beaches, exploring various approaches to achieve reliable exploitation without relying on fancy memory management features.
Overview
Syllabus
Intro
A Little Background
Rawhammer
Bypass the CPU cache
Select the Aggressor Rows
Rowhammer Exploitation
Hammering a Needle in the Software Stack
A Quick Google Search
Arrival at Santa Barbara
Benchmarking DRAM Bandwidth
Kernel Module
A piece of art: meh.cc
Debug, Hammer, Debug
E-Mail From The Bos
Flipping Bits On The Beach
Downward Spiral
The cacheflush System Call
Pointer Chasing
Flipping Bits By Executing Code
Cache Maintenance Operations
Martina
Memory templating
Scientific Value
Land sensitive data
a. Exhaust Large Chunks
b. Find a Bit Flip
Release Vulnerable Chunk
Exhaust Rows (again)
a. Release Vulnerable Row
b. Release Large Chunks
Allocate Pages until we hit the vulnerable now
Padding
Map a Page Table
Evaluation
Wrapping Up
Disclosure
Drammer
Taught by
Hack In The Box Security Conference
