Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mayhem: Targeted Corruption of Register and Stack Variables

Andrew J. Adiletta, M. Caner Tol, Yarkın Doröz, Berk Sunar

TL;DR

This work expands the Rowhammer threat model by showing that stack variables and CPU registers are vulnerable to fault injection, not just DRAM contents. It develops offline memory-profiling and bait-page techniques to co-locate target data with flippable memory and uses synchronized online attacks within blocking windows or signal-driven contexts to flip bits. The authors demonstrate practical bypasses of SUDO, OpenSSH, and OpenSSL, and reveal RSA Bellcore and MySQL authentication vulnerabilities enabled by these faults, culminating in a full end-to-end OpenSSL signature-verification attack. The paper also discusses countermeasures, arguing for tighter coding practices, memory-management strategies, and detection approaches to reduce rowhammer exploitation against software state. Overall, the work highlights a substantial expansion of the attack surface and motivates concrete mitigations in both hardware and software stacks.

Abstract

In the past decade, many vulnerabilities were discovered in microarchitectures which yielded attack vectors and motivated the study of countermeasures. Further, architectural and physical imperfections in DRAMs led to the discovery of Rowhammer attacks which give an adversary power to introduce bit flips in a victim's memory space. Numerous studies analyzed Rowhammer and proposed techniques to prevent it altogether or to mitigate its effects. In this work, we push the boundary and show how Rowhammer can be further exploited to inject faults into stack variables and even register values in a victim's process. We achieve this by targeting the register value that is stored in the process's stack, which subsequently is flushed out into the memory, where it becomes vulnerable to Rowhammer. When the faulty value is restored into the register, it will end up used in subsequent iterations. The register value can be stored in the stack via latent function calls in the source or by actively triggering signal handlers. We demonstrate the power of the findings by applying the techniques to bypass SUDO and SSH authentication. We further outline how MySQL and other cryptographic libraries can be targeted with the new attack vector. There are a number of challenges this work overcomes with extensive experimentation before coming together to yield an end-to-end attack on an OpenSSL digital signature: achieving co-location with stack and register variables, with synchronization provided via a blocking window. We show that stack and registers are no longer safe from the Rowhammer attack.

Mayhem: Targeted Corruption of Register and Stack Variables

TL;DR

This work expands the Rowhammer threat model by showing that stack variables and CPU registers are vulnerable to fault injection, not just DRAM contents. It develops offline memory-profiling and bait-page techniques to co-locate target data with flippable memory and uses synchronized online attacks within blocking windows or signal-driven contexts to flip bits. The authors demonstrate practical bypasses of SUDO, OpenSSH, and OpenSSL, and reveal RSA Bellcore and MySQL authentication vulnerabilities enabled by these faults, culminating in a full end-to-end OpenSSL signature-verification attack. The paper also discusses countermeasures, arguing for tighter coding practices, memory-management strategies, and detection approaches to reduce rowhammer exploitation against software state. Overall, the work highlights a substantial expansion of the attack surface and motivates concrete mitigations in both hardware and software stacks.

Abstract

In the past decade, many vulnerabilities were discovered in microarchitectures which yielded attack vectors and motivated the study of countermeasures. Further, architectural and physical imperfections in DRAMs led to the discovery of Rowhammer attacks which give an adversary power to introduce bit flips in a victim's memory space. Numerous studies analyzed Rowhammer and proposed techniques to prevent it altogether or to mitigate its effects. In this work, we push the boundary and show how Rowhammer can be further exploited to inject faults into stack variables and even register values in a victim's process. We achieve this by targeting the register value that is stored in the process's stack, which subsequently is flushed out into the memory, where it becomes vulnerable to Rowhammer. When the faulty value is restored into the register, it will end up used in subsequent iterations. The register value can be stored in the stack via latent function calls in the source or by actively triggering signal handlers. We demonstrate the power of the findings by applying the techniques to bypass SUDO and SSH authentication. We further outline how MySQL and other cryptographic libraries can be targeted with the new attack vector. There are a number of challenges this work overcomes with extensive experimentation before coming together to yield an end-to-end attack on an OpenSSL digital signature: achieving co-location with stack and register variables, with synchronization provided via a blocking window. We show that stack and registers are no longer safe from the Rowhammer attack.
Paper Structure (55 sections, 10 figures, 3 tables)

This paper contains 55 sections, 10 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Rowhammer Countermeasures
  3. Faulting CPU Internals
  4. Targeting the Stack
  5. Background
  6. Rowhammer Attacks
  7. Countermeasures in Crypto Libraries
  8. Threat Model for Memory Mayhem
  9. Flipping Bits in the Stack and Register Variables
  10. Offline Memory Profiling
  11. Profiling for Contiguous Memory
  12. Finding Rows in the Same Bank
  13. Profiling for Bait Pages
  14. Bait Page Profiling For Stack Attacks
  15. Bait Page Profiling For Register Attacks
  16. ...and 40 more sections

Figures (10)

  • Figure 1: Diagram showing the run time of a program with a blocking window allowing the attacker to attack at the right time
  • Figure 2: We can evict registers to stack by switching contexts, which pushes the registers to cache, and then with contention, we can evict them to DRAM where data can be flipped with Rowhammer.
  • Figure 3: The comparison of heat maps of bit flips in DDR3 and DDR4 DRAM chips. Darker color illustrates the locations of more reproducible bit flips. The bit flips seen in DDR4 are less reproducible than DDR3.
  • Figure 4: Page Fault Side Channel Analysis Demonstrating A Relationship Between Minor Page Faults and Page Offset
  • Figure 5: Typical scenario where the client connects to the server, sends a message and receives the message signed by the server and is able to authenticate the server.
  • ...and 5 more figures