PThammer: Cross-user-kernel-boundary rowhammer through implicit accesses
| dc.contributor.author | Zhang, Z. | |
| dc.contributor.author | Cheng, Y. | |
| dc.contributor.author | Liu, D. | |
| dc.contributor.author | Nepal, S. | |
| dc.contributor.author | Wang, Z. | |
| dc.contributor.author | Yarom, Y. | |
| dc.contributor.conference | Annual IEEE/ACM International Symposium on Microarchitecture (MICRO) (17 Oct 2020 - 21 Oct 2020 : virtual online) | |
| dc.date.issued | 2020 | |
| dc.description.abstract | Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to memory can induce bit flips in neighboring memory locations. Being a hardware vulnerability, rowhammer bypasses all of the system memory protection, allowing adversaries to compromise the integrity and confidentiality of data. Rowhammer attacks have shown to enable privilege escalation, sandbox escape, and cryptographic key disclosures. Recently, several proposals suggest exploiting the spatial proximity between the accessed memory location and the location of the bit flip for a defense against rowhammer. These all aim to deny the attacker’s permission to access memory locations near sensitive data. In this paper, we question the core assumption underlying these defenses. We present PThammer, a confused-deputy attack that causes accesses to memory locations that the attacker is not allowed to access. Specifically, PThammer exploits the address translation process of modern processors, inducing the processor to generate frequent accesses to protected memory locations. We implement PThammer, demonstrating that it is a viable attack, resulting in a system compromise (e.g., kernel privilege escalation). We further evaluate the effectiveness of proposed software-only defenses showing that PThammer can overcome those. | |
| dc.description.statementofresponsibility | Zhi Zhang, Yueqiang Cheng, Dongxi Liu, Surya Nepal, Zhi Wang, and Yuval Yarom | |
| dc.identifier.citation | Micro -Annual Workshop then Annual International Symposium-, 2020, vol.2020, pp.28-41 | |
| dc.identifier.doi | 10.1109/MICRO50266.2020.00016 | |
| dc.identifier.isbn | 9781728173832 | |
| dc.identifier.issn | 1072-4451 | |
| dc.identifier.orcid | Yarom, Y. [0000-0003-0401-4197] | |
| dc.identifier.uri | https://hdl.handle.net/2440/135172 | |
| dc.language.iso | en | |
| dc.publisher | IEEE | |
| dc.publisher.place | online | |
| dc.relation.grant | http://purl.org/au-research/grants/arc/DE200101577 | |
| dc.relation.ispartofseries | Proceedings of the Annual International Symposium on Microarchitecture | |
| dc.rights | ©2020 IEEE | |
| dc.source.uri | https://ieeexplore.ieee.org/xpl/conhome/9251289/proceeding | |
| dc.subject | Rowhammer; Confused-deputy Attack; Address Translation; Privilege Escalation | |
| dc.title | PThammer: Cross-user-kernel-boundary rowhammer through implicit accesses | |
| dc.type | Conference paper | |
| pubs.publication-status | Published |