Saved in:
Bibliographic Details
Main Authors: Yoshioka, Keigo, Akiyama, Soramichi
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2406.13119
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914840199561216
author Yoshioka, Keigo
Akiyama, Soramichi
author_facet Yoshioka, Keigo
Akiyama, Soramichi
contents RowHammer is a vulnerability inside DRAM chips where an attacker repeatedly accesses a DRAM row to flip bits in the nearby rows without directly accessing them. Several studies have found that flipping bits in the address part inside a page table entry (PTE) leads to serious security risks such as privilege escalation. However, the risk of management bits in a PTE being flipped by RowHammer has not yet been discussed as far as we know. In this paper, we point out a new vulnerability called GbHammer that allows an attacker to maliciously share a physical memory page with a victim by hammering the global bit in a PTE. GbHammer not only creates a shared page but also enables the attacker to (1) make the victim's process execute arbitrary binary and (2) snoop on the victim's secret data through the shared page. We demonstrate the two exploits on a real Linux kernel running on a cycle-accurate CPU simulator. We also discuss possible mitigation measures for GbHammer and the risk of GbHammer in non-x86 ISAs.
format Preprint
id arxiv_https___arxiv_org_abs_2406_13119
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle GbHammer: Malicious Inter-process Page Sharing by Hammering Global Bits in Page Table Entries
Yoshioka, Keigo
Akiyama, Soramichi
Cryptography and Security
RowHammer is a vulnerability inside DRAM chips where an attacker repeatedly accesses a DRAM row to flip bits in the nearby rows without directly accessing them. Several studies have found that flipping bits in the address part inside a page table entry (PTE) leads to serious security risks such as privilege escalation. However, the risk of management bits in a PTE being flipped by RowHammer has not yet been discussed as far as we know. In this paper, we point out a new vulnerability called GbHammer that allows an attacker to maliciously share a physical memory page with a victim by hammering the global bit in a PTE. GbHammer not only creates a shared page but also enables the attacker to (1) make the victim's process execute arbitrary binary and (2) snoop on the victim's secret data through the shared page. We demonstrate the two exploits on a real Linux kernel running on a cycle-accurate CPU simulator. We also discuss possible mitigation measures for GbHammer and the risk of GbHammer in non-x86 ISAs.
title GbHammer: Malicious Inter-process Page Sharing by Hammering Global Bits in Page Table Entries
topic Cryptography and Security
url https://arxiv.org/abs/2406.13119