Wow. Once again confirming that our idealized representations of digital machines do not correspond to physical reality... some times in really interesting and dangerous ways. Given the complexity and density of modern semiconductor devices it's quite likely that there are many variations of this "non-ideal machine" exploit waiting to be found... and it is possible that in some cases they may even be deliberately introduced vulnerabilities.
"“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory."
2 comments on original post
Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer [This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero b...
Add a comment...