Rowhammer.js: Root privileges for web apps?

Transcription

1 Rowhammer.js: Root privileges for web apps? Daniel Gruss 1, Clémentine Maurice 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1

2 Rennes Graz Clémentine Maurice PhD since October from Rennes, France Daniel Gruss PhD student from Graz, Austria Both of us started to work independently on cache attacks 2

3 Bit flips! The timeline 2014 June 2015 March April June July 3

4 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June July 3

5 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush April June July 3

6 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush June July 3

7 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel July 3

8 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel First bit flips without clflush on Ivy Bridge and Haswell a few days later! July 3

9 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel First bit flips without clflush on Ivy Bridge and Haswell a few days later! July Bit flips in JavaScript! 3

10 DRAM organization example 4

11 DRAM organization example channel 0 channel 1 4

12 DRAM organization example back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 4

13 DRAM organization example back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 chip 4

14 DRAM organization example chip bank 0 row 0 row 1 row 2... row row buffer bits in cells in rows access: activate row, copy to row buffer cells leak refresh necessary cells leak faster upon proximate accesses 5

15 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank row buffer 6

16 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6

17 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6

18 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6

19 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6

20 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank bit flips in row 2! row buffer 6

21 Impact of the CPU cache CPU core CPU cache DRAM only non-cached accesses reach DRAM original attacks use clflush instruction flush line from cache next access will be served from DRAM 7

22 Cache background core 0 core 1 core 2 core 3 L1 and L2 are private L1 L1 L1 L1 last-level cache: L2 LLC slice 0 L2 LLC slice 1 L2 LLC slice 2 L2 LLC slice 3 ring bus divided in slices shared across cores inclusive 8

23 Rowhammer (with clflush) DRAM bank cache set 1 cache set 2 9

24 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9

25 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9

26 Rowhammer (with clflush) DRAM bank cache set 1 cache set 2 9

27 Rowhammer (with clflush) DRAM bank cache set 1 reload cache set 2 9

28 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9

29 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9

30 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9

31 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9

32 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9

33 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9

34 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9

35 Rowhammer (with clflush) DRAM bank cache set 1 clflush wait for it... clflush cache set 2 9

36 Rowhammer (with clflush) DRAM bank cache set 1 reload reload bit flip! cache set 2 9

37 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... 10

38 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... measure timing (cache hit vs. miss) run on shared libraries to spy on other processes 10

39 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... measure timing (cache hit vs. miss) run on shared libraries to spy on other processes automated attacks [Gruss et al., 2015c] crypto keys, keylogging, cross VM attacks,... 10

40 Rowhammer without clflush? idea: avoid clflush to be independent of specific instructions no clflush in JavaScript 11

41 Rowhammer without clflush? idea: avoid clflush to be independent of specific instructions no clflush in JavaScript our approach: use regular memory accesses for eviction techniques from cache attacks! 11

42 Rowhammer without clflush DRAM bank cache set 1 cache set 2 12

43 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

44 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

45 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

46 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

47 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

48 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

49 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

50 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12

51 Rowhammer without clflush DRAM bank cache set 1 reload reload cache set 2 12

52 Rowhammer without clflush DRAM bank cache set 1 repeat! cache set 2 12

53 Rowhammer without clflush DRAM bank cache set 1 reload reload wait for it... cache set 2 12

54 Rowhammer without clflush DRAM bank cache set 1 bit flip! cache set 2 12

55 Rowhammer.js: the challenges 1. How to get physical addresses in JS? 2. Which physical addresses to access? 3. In which order to access them? 4. How to get accurate timing in JS? 13

56 Rowhammer.js: the challenges 1. How to get physical addresses in JS? 2. Which physical addresses to access? 3. In which order to access them? 4. How to get accurate timing in JS? 13

57 #1.1: Physical addresses and DRAM fixed map: physical addresses DRAM cells undocumented for Intel reverse-engineering by [Seaborn, 2015b] for Sandy Bridge and by us [Pessl et al., 2015] for Sandy, Ivy, Haswell, Skylake,... 14

58 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address 15

59 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address = last 21 bits (2MB) of JS array indices [Gruss et al., 2015a] 15

60 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address = last 21 bits (2MB) of JS array indices [Gruss et al., 2015a] several DRAM rows per 2MB page several congruent addresses per 2MB page use timing for cross-page information 15

61 #2.1: Which physical addresses to access? LRU eviction : assume that cache uses LRU replacement accessing n addresses from the same cache set to evict an n-way set [Percival, 2005, Liu et al., 2015, Oren et al., 2015, Maurice et al., 2015b] eviction from last level from whole hierarchy (it s inclusive!) 16

62 #2.2: Which addresses map to the same set? physical address 35 tag H 2 set 11 6 offset 0 function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] line slice 0 slice 1 slice 2 slice 3 17

63 #2.2: Which addresses map to the same set? physical address tag set offset 30 H 11 2 line slice 0 slice 1 slice 2 slice 3 0 function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] hash function basically an XOR of address bits 17

64 #2.2: Which addresses map to the same set? function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] hash function basically an XOR of address bits 17

65 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set 18

66 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set LRU replacement policy: oldest entry first 18

67 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set LRU replacement policy: oldest entry first timestamps for every cache line 18

68 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

69 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

70 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

71 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

72 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

73 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

74 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

75 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18

76 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement 19

77 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

78 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

79 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

80 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

81 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

82 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

83 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

84 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19

85 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement only 75% success rate on Haswell 19

86 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement only 75% success rate on Haswell more accesses higher success rate, but too slow 19

87 #3.3: Cache eviction strategy Address a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 Time Figure: Fast and effective on Haswell. Eviction rate >99.97%. 20

88 #4: How to get accurate timing in JavaScript? native code: rdtsc JavaScript: window.performance.now() 21

89 #4: How to get accurate timing in JavaScript? native code: rdtsc JavaScript: window.performance.now() recent patch: time rounded to 5 microseconds still works - we measure millions of accesses 21

90 Evaluation on Haswell 10 6 clflush Evict (Native) Evict (JavaScript) Bit flips Refresh interval in µs (BIOS configuration) Figure: Number of bit flips within 15 minutes. [Gruss et al., 2015b] 22

91 Exploits? Idea: port root exploit by [Seaborn, 2015a] to JavaScript page table spraying needs shared memory not available in JavaScript 23

92 Exploits? Idea: port root exploit by [Seaborn, 2015a] to JavaScript page table spraying needs shared memory not available in JavaScript zero pages are deduplicated shared memory accessible from JavaScript 23

93 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 24

94 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 3. put page table there page table spraying with shared pages 4. trigger bitflip again 24

95 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 3. put page table there page table spraying with shared pages 4. trigger bitflip again 5. page table mapped instead of shared page? 6. modify page table to access arbitrary memory 24

96 Physical memory access exploit in JavaScript 1. find exploitable bitflip (address + writable bit) 2. release bitflip page 3. put page table there page table spraying with zero pages 4. trigger bitflip again 5. page table mapped instead of zero page? 6. modify page table to access arbitrary memory 25

97 Code execution as root 1. search for /bin/sh binary pages, modify page: add shellcode 26

98 Code execution as root 1. search for /bin/sh binary pages, modify page: add shellcode 3. wait until root executes shellcode 26

99 Countermeasures patch hardware: dynamic row refreshing patch BIOS: increase refresh rate 27

100 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate 27

101 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... 27

102 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? 27

103 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? 27

104 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? patch OS: life is not perfect that s ok! 27

105 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? patch OS: life is not perfect that s ok! idea: we don t care about self-destructive processes same-privilege physical memory pools 27

106 Conclusions cache eviction fast enough to replace clflush independent of programming language and available instructions hardware-fault attack induced in JavaScript remote attacks through websites 28

107 Not there yet, but... 29

108 Rowhammer.js: Root privileges for web apps? Daniel Gruss 1, Clémentine Maurice 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 30

109 [Gruss et al., 2015a] Gruss, D., Bidner, D., and Mangard, S. (2015a). Practical memory deduplication attacks in sandboxed javascript. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS 15). [Gruss et al., 2015b] Gruss, D., Maurice, C., and Mangard, S. (2015b). Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. arxiv: v1. [Gruss et al., 2015c] Gruss, D., Spreitzer, R., and Mangard, S. (2015c). Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium (USENIX Security 15). [Inci et al., 2015] Inci, M. S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., and Sunar, B. (2015). Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Cryptology eprint Archive, Report 2015/

110 [Kim et al., 2014] Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J. H., Lee, D., Wilkerson, C., Lai, K., and Mutlu, O. (2014). Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ACM/IEEE International Symposium on Computer Architecture (ISCA 14). [Liu et al., 2015] Liu, F., Yarom, Y., Ge, Q., Heiser, G., and Lee, R. B. (2015). Last-Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security and Privacy (S&P 15). [Maurice et al., 2015a] Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., and Francillon, A. (2015a). Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). [Maurice et al., 2015b] Maurice, C., Neumann, C., Heen, O., and Francillon, A. (2015b). C5: Cross-Cores Cache Covert Channel. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 15). 32

111 [Oren et al., 2015] Oren, Y., Kemerlis, V. P., Sethumadhavan, S., and Keromytis, A. D. (2015). The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In ACM Conference on Computer and Communications Security (CCS 15). [Percival, 2005] Percival, C. (2005). Cache Missing for Fun and Profit. URL: [Pessl et al., 2015] Pessl, P., Gruss, D., Maurice, C., Schwarz, M., and Mangard, S. (2015). Reverse Engineering Intel DRAM Addressing and Exploitation. arxiv: [Seaborn, 2015a] Seaborn, M. (2015a). Exploiting the DRAM rowhammer bug to gain kernel privileges. 33

112 [Seaborn, 2015b] Seaborn, M. (2015b). How physical addresses map to rows and banks in DRAM. [Yarom et al., 2015] Yarom, Y., Ge, Q., Liu, F., Lee, R. B., and Heiser, G. (2015). Mapping the Intel Last-Level Cache. Cryptology eprint Archive, Report 2015/

113 The research leading to these results has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No (HECTOR). Furthermore, this work has been supported by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number (SeCoS). The joint research has been supported by CRYPTACUS COST action. 35