Martin Heckel, Florian Adamsky

Flipper: Rowhammer on Steroids

Introduction

Flipper: rowhammer on steroids. Flipper amplifies Rowhammer attacks on DDR3 memory by 830x, enabling privilege escalation even with mitigations. Discover this novel technique for faster, more effective bit flips.

Abstract

The density of memory cells in modern DRAM is so high that frequently accessing a memory row can flip bits in nearby rows. That effect is called Rowhammer, and an attacker can exploit this phenomenon to flip bits by rapidly accessing the contents of nearby memory rows. In recent years, researchers have developed sophisticated exploits based on this vulnerability, which enable privilege escalation on desktop computers, mobile devices, and even cloud systems without requiring any software vulnerability. However, rows are not equally vulnerable to Rowhammer. Therefore, an attacker has to massage the memory, for instance, with Page Table Entry (PTE) spraying, to increase the chance of successful exploitation. More bit flips mean the attacks become easier and faster to conduct. In this paper, we present Flipper, a Rowhammer amplification attack against DDR3, consisting of two components: cmpIST exploits the cmpsb and repe x86 instructions to get DRAM access with higher frequency. cmpP AR exploits the effect of hammering in multiple threads, which increases the number of bit flips found in a given time, as shown in previous work. As a result, we can increase the number of bit flips by a factor of 830 on the measured devices, even on systems featuring mitigation techniques, without using administrative privileges. We evaluate our technique on six DDR3 DIMMs. Although DDR3 memory has been superseded by DDR4 and DDR5 memory technologies, it is still widely used in devices that do not require frequent replacement, such as projectors, smart displays, servers, embedded devices, routers, and printers.

Review

This paper, titled "Flipper: Rowhammer on Steroids," presents a compelling advancement in Rowhammer research by introducing Flipper, an amplification attack designed to significantly increase the rate of bit flips. The authors aptly frame the ongoing challenge of Rowhammer, a vulnerability stemming from high memory cell density that allows an attacker to induce bit flips in adjacent rows through rapid access. While previous work has demonstrated sophisticated exploits for privilege escalation across various platforms, they often require extensive memory "massaging" to ensure successful exploitation. Flipper addresses this limitation directly by focusing on making Rowhammer attacks easier and faster to conduct through a substantial increase in bit flip occurrences, even against systems with existing mitigation techniques. The core contribution of Flipper lies in its two innovative components: cmpIST and cmpPAR. The cmpIST technique leverages specific x86 instructions, `cmpsb` and `repe`, to achieve a higher frequency of DRAM access, which is crucial for triggering Rowhammer more effectively. Complementing this, cmpPAR exploits the known effect of multi-threaded hammering, as observed in prior research, to further enhance the number of bit flips detected within a given timeframe. The combination of these techniques, evaluated on six DDR3 DIMMs, reportedly leads to an astonishing 830-fold increase in the number of bit flips on the measured devices. Crucially, this amplification is achieved without requiring administrative privileges and demonstrates efficacy even on systems incorporating mitigation strategies, underscoring its potency. The decision to focus on DDR3 memory, despite the prevalence of newer DDR4 and DDR5 technologies, is well-justified and highlights a critical security blind spot. As the authors point out, DDR3 remains widely deployed in a vast array of devices with longer replacement cycles, including servers, embedded systems, routers, printers, projectors, and smart displays. This work therefore has significant implications for the security of a substantial installed base of hardware, demonstrating that even legacy memory technologies can be vulnerable to highly amplified attacks. Flipper's ability to bypass existing mitigations and achieve such a dramatic increase in bit flips without elevated privileges makes it a potent proof-of-concept, calling for renewed attention to Rowhammer in these pervasive, often overlooked, computing environments.

Full Text

Comments

You need to be logged in to post a comment.