Exploiting the DRAM rowhammer bug to gain kernel privileges

[Jeffrey Walton <noloader () gmail com>]

http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

“Rowhammer” is a problem with some recent DRAM devices in which
repeatedly accessing a row of memory can cause bit flips in adjacent
rows. We tested a selection of laptops and found that a subset of them
exhibited the problem. We built two working privilege escalation
exploits that use this effect. One exploit uses rowhammer-induced bit
flips to gain kernel privileges on x86-64 Linux when run as an
unprivileged userland process. When run on a machine vulnerable to the
rowhammer problem, the process was able to induce bit flips in page
table entries (PTEs). It was able to use this to gain write access to
its own page table, and hence gain read-write access to all of
physical memory.

We don’t know for sure how many machines are vulnerable to this
attack, or how many existing vulnerable machines are fixable. Our
exploit uses the x86 CLFLUSH instruction to generate many accesses to
the underlying DRAM, but other techniques might work on non-x86
systems too.

We expect our PTE-based exploit could be made to work on other
operating systems; it is not inherently Linux-specific. Causing bit
flips in PTEs is just one avenue of exploitation; other avenues for
exploiting bit flips can be practical too. Our other exploit
demonstrates this by escaping from the Native Client sandbox.
...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.