Conference paper Open Access

Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Daniel Gruss; Clémentine Maurice; Victor van der Veen; Herbert Bos; Kaveh Razavi; Cristiano Giuffrida; Yanick Fratantonio; Martina Lindorfer; Giovanni Vigna


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nam##2200000uu#4500</leader>
  <controlfield tag="005">20190410041148.0</controlfield>
  <controlfield tag="001">375506</controlfield>
  <datafield tag="711" ind1=" " ind2=" ">
    <subfield code="d">24-28 October 2016</subfield>
    <subfield code="g">ACM CCS 2016</subfield>
    <subfield code="a">23rd ACM Conference on Computer and Communications Security</subfield>
    <subfield code="c">Vienna, Austria</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Clémentine Maurice</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Vrije Universiteit Amsterdam</subfield>
    <subfield code="a">Victor van der Veen</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Vrije Universiteit Amsterdam</subfield>
    <subfield code="a">Herbert Bos</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Vrije Universiteit Amsterdam</subfield>
    <subfield code="a">Kaveh Razavi</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Vrije Universiteit Amsterdam</subfield>
    <subfield code="a">Cristiano Giuffrida</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">UC Santa Barbara</subfield>
    <subfield code="a">Yanick Fratantonio</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">UC Santa Barbara</subfield>
    <subfield code="a">Martina Lindorfer</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">UC Santa Barbara</subfield>
    <subfield code="a">Giovanni Vigna</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">608471</subfield>
    <subfield code="z">md5:8e8eeffdae5dd84868e5eec0ebe9ebbe</subfield>
    <subfield code="u">https://zenodo.org/record/375506/files/2016-ACMCCS-Drammer-deterministic-rowhammer-TUG.pdf</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="y">Conference website</subfield>
    <subfield code="u">https://www.sigsac.org/ccs/CCS2016/</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2016-10-24</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="p">user-hector</subfield>
    <subfield code="o">oai:zenodo.org:375506</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">TU Graz</subfield>
    <subfield code="a">Daniel Gruss</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">Drammer: Deterministic Rowhammer Attacks on Mobile Platforms</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-hector</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">644052</subfield>
    <subfield code="a">HARDWARE ENABLED CRYPTO AND RANDOMNESS</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">http://creativecommons.org/licenses/by/4.0/legalcode</subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing e orts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting&lt;br&gt;
challenges towards practical mobile Rowhammer attacks. To support our claims, we present the rst Rowhammer-based Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and nd that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isIdenticalTo</subfield>
    <subfield code="a">10.1145/2976749.2978406</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.375506</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">conferencepaper</subfield>
  </datafield>
</record>
14
6
views
downloads
All versions This version
Views 1414
Downloads 66
Data volume 3.7 MB3.7 MB
Unique views 1313
Unique downloads 55

Share

Cite as