Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework
Rowhammer is a hardware-based bug that allows the attacker to modify the data in the memory without accessing it, just repeatedly and frequently accessing (or hammering) physically adjacent memory rows. So that it can break the memory isolation between processes, which is seen as the cornerstone of modern system security, exposing the sensitive data to unauthorized and imperceptible corruption. A number of previous works have leveraged the rowhammer bug to achieve various critical attacks. In this work, we propose a unified reference framework for analyzing the rowhammer attacks, indicating three necessary factors in a practical rowhammer attack: the attack origin, the intended implication and the methodology. Each factor includes multiple primitives, the attacker can select primitives from three factors to constitute an effective attack. In particular, the methodology further summarizes all existing attack techniques, that are used to achieve its three primitives: Location Preparation (LP), Rapid Hammering (RH), and Exploit Verification (EV). Based on the reference framework, we analyze all previous rowhammer attacks and corresponding countermeasures. Our analysis shows that how primitives in different factors are combined and used in previous attacks, and thus points out new possibility of rowhammer attacks, enabling proactive prevention before it causes harm. Under the framework, we propose a novel expressive rowhammer attack that is capable of accumulating injected memory changes and achieving rich attack semantics. We conclude by outlining future research directions.
READ FULL TEXT