Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework

TL;DR

This paper introduces a unified framework for analyzing rowhammer attacks, categorizing attack factors and primitives, and uses it to analyze past attacks and propose a new, more expressive attack method.

Contribution

The paper presents a comprehensive reference framework for understanding rowhammer attacks, enabling systematic analysis and the design of novel attack strategies.

Findings

Analysis of existing rowhammer attacks using the framework

Identification of new attack possibilities through primitive combinations

Proposal of a novel expressive rowhammer attack with rich semantics

Abstract

Rowhammer is a hardware-based bug that allows the attacker to modify the data in the memory without accessing it, just repeatedly and frequently accessing (or hammering) physically adjacent memory rows. So that it can break the memory isolation between processes, which is seen as the cornerstone of modern system security, exposing the sensitive data to unauthorized and imperceptible corruption. A number of previous works have leveraged the rowhammer bug to achieve various critical attacks. In this work, we propose a unified reference framework for analyzing the rowhammer attacks, indicating three necessary factors in a practical rowhammer attack: the attack origin, the intended implication and the methodology. Each factor includes multiple primitives, the attacker can select primitives from three factors to constitute an effective attack. In particular, the methodology further summarizes all existing attack techniques, that are used to achieve its three primitives: Location Preparation (LP), Rapid Hammering (RH), and Exploit Verification (EV). Based on the reference framework, we analyze all previous rowhammer attacks and corresponding countermeasures. Our analysis shows that how primitives in different factors are combined and used in previous attacks, and thus points out new possibility of rowhammer attacks, enabling proactive prevention before it causes harm. Under the framework, we propose a novel expressive rowhammer attack that is capable of accumulating injected memory changes and achieving rich attack semantics. We conclude by outlining future research directions.