Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
9 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

LeapFrog: The Rowhammer Instruction Skip Attack (2404.07878v3)

Published 11 Apr 2024 in cs.CR and cs.AR

Abstract: Since its inception, Rowhammer exploits have rapidly evolved into increasingly sophisticated threats compromising data integrity and the control flow integrity of victim processes. Nevertheless, it remains a challenge for an attacker to identify vulnerable targets (i.e., Rowhammer gadgets), understand the outcome of the attempted fault, and formulate an attack that yields useful results. In this paper, we present a new type of Rowhammer gadget, called a LeapFrog gadget, which, when present in the victim code, allows an adversary to subvert code execution to bypass a critical piece of code (e.g., authentication check logic, encryption rounds, padding in security protocols). The LeapFrog gadget manifests when the victim code stores the Program Counter (PC) value in the user or kernel stack (e.g., a return address during a function call) which, when tampered with, repositions the return address to a location that bypasses a security-critical code pattern. This research also presents a systematic process to identify LeapFrog gadgets. This methodology enables the automated detection of susceptible targets and the determination of optimal attack parameters. We first show the attack on a decision tree algorithm to show the potential implications. Secondly, we employ the attack on OpenSSL to bypass the encryption and reveal the plaintext. We then use our tools to scan the Open Quantum Safe library and report on the number of LeapFrog gadgets in the code. Lastly, we demonstrate this new attack vector through a practical demonstration in a client/server TLS handshake scenario, successfully inducing an instruction skip in a client application. Our findings extend the impact of Rowhammer attacks on control flow and contribute to developing more robust defenses against these increasingly sophisticated threats.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Go go gadget hammer: Flipping nested pointers for arbitrary data leakage. In 33rd USENIX Security Symposium (USENIX Security 24), Philadelphia, PA, August 2024. USENIX Association.
  2. Andrew Adiletta. RowHammer; A Review of the Exploit Used to Access Protected, Inaccessible Memory. PhD thesis, WORCESTER POLYTECHNIC INSTITUTE, 2021.
  3. Mayhem: Targeted corruption of register and stack variables. In Proceedings of the 2024 ACM Asia Conference on Computer and Communications Security, 2024.
  4. Hyperdegrade: From ghz to mhz effective cpu frequencies. arXiv preprint arXiv:2101.01077, 2022.
  5. Amplifying side channels through performance degradation. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages 422–435, 2016.
  6. ANVIL: Software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Notices, 51(4):743–755, 2016.
  7. On the importance of eliminating errors in cryptographic computations. Journal of Cryptology, 14:101–119, 2015.
  8. CAn’t touch this: Software-only mitigation against rowhammer attacks targeting kernel memory. In 26th USENIX Security Symposium (USENIX Security 17), pages 117–130, Vancouver, BC, August 2017. USENIX Association.
  9. How practical are fault injection attacks, really? IEEE Access, 10:113122–113130, 2022.
  10. Laser profiling for the back-side fault attacks: With a practical laser skip instruction attack on aes. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. ACM, 2015.
  11. Fallout: Leaking data on meltdown-resistant cpus. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2019.
  12. Real time detection of cache-based side-channel attacks using hardware performance counters. Applied Soft Computing, 49:1162–1174, 2016.
  13. Are we susceptible to rowhammer? an end-to-end methodology for cloud providers. In 2020 IEEE Symposium on Security and Privacy (SP), pages 712–728. IEEE, 2020.
  14. Exploiting correcting codes: On the effectiveness of ECC memory against rowhammer attacks. In 2019 IEEE Symposium on Security and Privacy (SP), pages 55–71. IEEE, 2019.
  15. Jonathan Corbet. Supervisor mode access prevention. https://lwn.net/Articles/517475/, Sep 2012. Accessed: 2024-01-10.
  16. Jonathan Corbet. Defending against Rowhammer in the kernel, October 2016. https://lwn.net/Articles/704920/.
  17. SMASH: Synchronized many-sided rowhammer attacks from JavaScript. In 30th USENIX Security Symposium (USENIX Security 21), pages 1001–1018. USENIX Association, August 2021.
  18. TRRespass: Exploiting the many sides of target row refresh. In 2020 IEEE Symposium on Security and Privacy (SP), pages 747–762. IEEE, 2020.
  19. Another flip in the wall of rowhammer defenses. In 2018 IEEE Symposium on Security and Privacy (SP), pages 245–261. IEEE, 2018.
  20. Rowhammer. js: A remote software-induced fault attack in javascript. In International conference on detection of intrusions and malware, and vulnerability assessment, pages 300–321. Springer, 2016.
  21. Flush+ Flush: a fast and stealthy cache attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 279–299. Springer, 2016.
  22. Cache games – bringing access-based cache attacks on aes to practice. In 2011 IEEE Symposium on Security and Privacy, pages 490–505, 2011.
  23. These are not your grand Daddys cpu performance counters–cpu hardware performance counters for security. Black Hat Briefings, 2015.
  24. MASCAT: Stopping microarchitectural attacks before execution. IACR Cryptol. ePrint Arch., 2016:1196, 2016.
  25. Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. ACM SIGARCH Computer Architecture News, 42(3):361–372, 2014.
  26. Spectre attacks: Exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P’19), 2019.
  27. Half-Double: Hammering from the next row over. In 31st USENIX Security Symposium (USENIX Security 22), pages 3807–3824, Boston, MA, August 2022. USENIX Association.
  28. Spectre returns! speculation attacks using the return stack buffer. In 12th USENIX Workshop on Offensive Technologies (WOOT 18), 2018.
  29. Rambleed: Reading bits in memory without accessing them. In 2020 IEEE Symposium on Security and Privacy (SP), pages 695–711. IEEE, 2020.
  30. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18), 2018.
  31. Nethammer: Inducing rowhammer faults through network requests. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 710–719. IEEE, 2020.
  32. Pin: building customized program analysis tools with dynamic instrumentation. Acm sigplan notices, 40(6):190–200, 2005.
  33. Raccoon attack: Finding and exploiting {{\{{Most-Significant-Bit-Oracles}}\}} in {{\{{TLS-DH (E}}\}}). In 30th USENIX Security Symposium (USENIX Security 21), pages 213–230, 2021.
  34. Formal verification of a software countermeasure against instruction skip attacks. Journal of Cryptographic Engineering, 4:145–156, 2014.
  35. Jolt: Recovering tls signing keys via rowhammer faults. In 2023 IEEE Symposium on Security and Privacy (SP), pages 1719–1736. IEEE, 2023.
  36. NIST. Cve-2022-42961 detail. Oct 2022.
  37. Mathias Payer. HexPADS: a platform to detect “stealth” attacks. In International Symposium on Engineering Secure Software and Systems, pages 138–154. Springer, 2016.
  38. DRAMA: Exploiting DRAM addressing for Cross-CPU attacks. In 25th USENIX Security Symposium (USENIX Security 16), pages 565–581, Austin, TX, August 2016. USENIX Association.
  39. Design of sense amplifier for non volatile memory. Revue Roumaine Des Sciences Techniques, 58(2):173–182, 2013.
  40. Flip feng shui: Hammering a needle in the software stack. In 25th USENIX Security Symposium (USENIX Security 16), pages 1–18, Austin, TX, August 2016. USENIX Association.
  41. High precision fault injections on the instruction cache of armv7-m architectures. In 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 62–67. IEEE, 2015.
  42. Randomized row-swap: mitigating row hammer by breaking spatial correlation between aggressor and victim rows. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, pages 1056–1069, 2022.
  43. Exploiting the dram rowhammer bug to gain kernel privileges. Black Hat, 15:71, 2015.
  44. Degenerate fault attacks on elliptic curve parameters in openssl. In IEEE European Symposium on Security and Privacy, EuroS&P 2019, Stockholm, Sweden, June 17-19, 2019, pages 371–386. IEEE, 2019.
  45. Throwhammer: Rowhammer attacks over the network and defenses. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 213–226, Boston, MA, July 2018. USENIX Association.
  46. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In 41th IEEE Symposium on Security and Privacy (S&P’20), 2020.
  47. Drammer: Deterministic rowhammer attacks on mobile platforms. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 1675–1689, 2016.
  48. RIDL: Rogue in-flight data load. In S&P, May 2019.
  49. Discreet-para: Rowhammer defense with low cost and high efficiency. In 2021 IEEE 39th International Conference on Computer Design (ICCD), pages 1–8. IEEE, 2021.
  50. Jackhammer: Efficient rowhammer on heterogeneous fpga-cpu platforms. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(3):169–195, Jun. 2020.
  51. One bit flips, one cloud flops: Cross-VM row hammer attacks and privilege escalation. In 25th USENIX Security Symposium (USENIX Security 16), pages 19–35, Austin, TX, August 2016. USENIX Association.
  52. Hira: hidden row activation for reducing refresh latency of off-the-shelf dram chips. In 2022 55th IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 815–834. IEEE, 2022.
  53. Keun Soo Yim. The rowhammer attack injection methodology. In 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS), pages 1–10, 2016.
  54. Keun Soo Yim. The rowhammer attack injection methodology. In 2016 IEEE 35th symposium on reliable distributed systems (SRDS), pages 1–10. IEEE, 2016.
  55. Cloudradar: A real-time side-channel attack detection system in clouds. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 118–140. Springer, 2016.

Summary

We haven't generated a summary for this paper yet.