D-RamPage: POC for zero-risk row-hammer exploitation

[halfdog <me () halfdog net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Although I have no row-hammer affected hardware, I tried to build a POC that allows zero-risk exploitation of 
row-hammer affected DRAM setups, see [1].

The main idea of the POC is to

* reserve complete rows of physical pages (verified via pagemap)

* remove the cached page of a file suitable for privilege escalation, e.g. a SUID binary or ld-linux, from read page 
cache, so that it will be read again and probably mapped to a new location.

* trigger a timed read to get it mapped to the only free page position in a contiguous block of physical pages

* hammer the middle of the physical pages block with two buffer rows on each side, on containing the cached target file 
page

* when modification of target file page in cache is not suitable for privilege escalation, just flush it from cache and 
start anew.


Without suitable hardware, I've currently not included the hammer assembly code yet. But if someone with an appropriate 
test system would be willing to assist in testing, I would be glad to add that code also. (I will not put out code 
without testing).


hd



[1] http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlUHaLQACgkQxFmThv7tq+408gCdFe5W0mXuRfHdLmXR23eFINta
jA4AnjjEOEinnLScFB+w+Tw0H9h+MBqO
=6H0d
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/