GbHammer: Malicious Inter-process Page Sharing by Hammering Global Bits in Page Table Entries

TL;DR

GbHammer is a new type of RowHammer attack that exploits global bits in page table entries to maliciously share memory pages, enabling privilege escalation and data snooping on Linux systems.

Contribution

This paper introduces GbHammer, a novel RowHammer-based attack targeting management bits in PTEs, demonstrating new security risks and potential mitigations.

Findings

GbHammer can create shared pages between attacker and victim.

GbHammer enables arbitrary code execution and data snooping.

The attack was demonstrated on Linux with real hardware simulation.

Abstract

RowHammer is a vulnerability inside DRAM chips where an attacker repeatedly accesses a DRAM row to flip bits in the nearby rows without directly accessing them. Several studies have found that flipping bits in the address part inside a page table entry (PTE) leads to serious security risks such as privilege escalation. However, the risk of management bits in a PTE being flipped by RowHammer has not yet been discussed as far as we know. In this paper, we point out a new vulnerability called GbHammer that allows an attacker to maliciously share a physical memory page with a victim by hammering the global bit in a PTE. GbHammer not only creates a shared page but also enables the attacker to (1) make the victim's process execute arbitrary binary and (2) snoop on the victim's secret data through the shared page. We demonstrate the two exploits on a real Linux kernel running on a cycle-accurate CPU simulator. We also discuss possible mitigation measures for GbHammer and the risk of GbHammer in non-x86 ISAs.