PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses

TL;DR

PThammer is a novel attack exploiting address translation to induce unauthorized memory accesses, enabling privilege escalation and bypassing existing rowhammer defenses.

Contribution

The paper introduces PThammer, a new cross-user kernel boundary rowhammer attack that leverages implicit memory accesses via address translation vulnerabilities.

Findings

PThammer successfully causes privilege escalation.

It bypasses existing software-only defenses.

The attack exploits address translation to induce unauthorized memory accesses.

Abstract

Rowhammer is a hardware vulnerability in DRAM memory, where repeated access to memory can induce bit flips in neighboring memory locations. Being a hardware vulnerability, rowhammer bypasses all of the system memory protection, allowing adversaries to compromise the integrity and confidentiality of data. Rowhammer attacks have shown to enable privilege escalation, sandbox escape, and cryptographic key disclosures. Recently, several proposals suggest exploiting the spatial proximity between the accessed memory location and the location of the bit flip for a defense against rowhammer. These all aim to deny the attacker's permission to access memory locations near sensitive data. In this paper, we question the core assumption underlying these defenses. We present PThammer, a confused-deputy attack that causes accesses to memory locations that the attacker is not allowed to access. Specifically, PThammer exploits the address translation process of modern processors, inducing the processor to generate frequent accesses to protected memory locations. We implement PThammer, demonstrating that it is a viable attack, resulting in a system compromise (e.g., kernel privilege escalation). We further evaluate the effectiveness of proposed software-only defenses showing that PThammer can overcome those.