Saved in:
Bibliographic Details
Main Authors: Adiletta, Andrew J., Tol, M. Caner, Doröz, Yarkın, Sunar, Berk
Format: Preprint
Published: 2023
Subjects:
Online Access:https://arxiv.org/abs/2309.02545
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929312365543424
author Adiletta, Andrew J.
Tol, M. Caner
Doröz, Yarkın
Sunar, Berk
author_facet Adiletta, Andrew J.
Tol, M. Caner
Doröz, Yarkın
Sunar, Berk
contents In the past decade, many vulnerabilities were discovered in microarchitectures which yielded attack vectors and motivated the study of countermeasures. Further, architectural and physical imperfections in DRAMs led to the discovery of Rowhammer attacks which give an adversary power to introduce bit flips in a victim's memory space. Numerous studies analyzed Rowhammer and proposed techniques to prevent it altogether or to mitigate its effects. In this work, we push the boundary and show how Rowhammer can be further exploited to inject faults into stack variables and even register values in a victim's process. We achieve this by targeting the register value that is stored in the process's stack, which subsequently is flushed out into the memory, where it becomes vulnerable to Rowhammer. When the faulty value is restored into the register, it will end up used in subsequent iterations. The register value can be stored in the stack via latent function calls in the source or by actively triggering signal handlers. We demonstrate the power of the findings by applying the techniques to bypass SUDO and SSH authentication. We further outline how MySQL and other cryptographic libraries can be targeted with the new attack vector. There are a number of challenges this work overcomes with extensive experimentation before coming together to yield an end-to-end attack on an OpenSSL digital signature: achieving co-location with stack and register variables, with synchronization provided via a blocking window. We show that stack and registers are no longer safe from the Rowhammer attack.
format Preprint
id arxiv_https___arxiv_org_abs_2309_02545
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle Mayhem: Targeted Corruption of Register and Stack Variables
Adiletta, Andrew J.
Tol, M. Caner
Doröz, Yarkın
Sunar, Berk
Cryptography and Security
In the past decade, many vulnerabilities were discovered in microarchitectures which yielded attack vectors and motivated the study of countermeasures. Further, architectural and physical imperfections in DRAMs led to the discovery of Rowhammer attacks which give an adversary power to introduce bit flips in a victim's memory space. Numerous studies analyzed Rowhammer and proposed techniques to prevent it altogether or to mitigate its effects. In this work, we push the boundary and show how Rowhammer can be further exploited to inject faults into stack variables and even register values in a victim's process. We achieve this by targeting the register value that is stored in the process's stack, which subsequently is flushed out into the memory, where it becomes vulnerable to Rowhammer. When the faulty value is restored into the register, it will end up used in subsequent iterations. The register value can be stored in the stack via latent function calls in the source or by actively triggering signal handlers. We demonstrate the power of the findings by applying the techniques to bypass SUDO and SSH authentication. We further outline how MySQL and other cryptographic libraries can be targeted with the new attack vector. There are a number of challenges this work overcomes with extensive experimentation before coming together to yield an end-to-end attack on an OpenSSL digital signature: achieving co-location with stack and register variables, with synchronization provided via a blocking window. We show that stack and registers are no longer safe from the Rowhammer attack.
title Mayhem: Targeted Corruption of Register and Stack Variables
topic Cryptography and Security
url https://arxiv.org/abs/2309.02545