GbHammer: Malicious Inter-process Page Sharing by Hammering Global Bits in Page Table Entries

Keigo Yoshioka,Soramichi Akiyama
2024-06-19
Abstract:RowHammer is a vulnerability inside DRAM chips where an attacker repeatedly accesses a DRAM row to flip bits in the nearby rows without directly accessing them. Several studies have found that flipping bits in the address part inside a page table entry (PTE) leads to serious security risks such as privilege escalation. However, the risk of management bits in a PTE being flipped by RowHammer has not yet been discussed as far as we know. In this paper, we point out a new vulnerability called GbHammer that allows an attacker to maliciously share a physical memory page with a victim by hammering the global bit in a PTE. GbHammer not only creates a shared page but also enables the attacker to (1) make the victim's process execute arbitrary binary and (2) snoop on the victim's secret data through the shared page. We demonstrate the two exploits on a real Linux kernel running on a cycle-accurate CPU simulator. We also discuss possible mitigation measures for GbHammer and the risk of GbHammer in non-x86 ISAs.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the impact of the RowHammer vulnerability on the management bits in page - table entries (PTEs), especially the new security risks that may be brought about after the global bit is flipped. Specifically: 1. **Deficiencies in existing research**: Although there have been many studies on RowHammer, these studies mainly focus on flipping bits in the address part, ignoring the risk of management bits (such as the global bit) being flipped. 2. **Newly discovered vulnerability**: The author points out a new vulnerability - GbHammer. By flipping the global bit in the PTE, an attacker can maliciously share physical memory pages, resulting in the following two serious consequences: - **Arbitrary binary execution**: The attacker can make the victim's process execute the binary code carefully constructed by the attacker. - **Data snooping**: The attacker can steal the victim's data through the shared page. 3. **Experimental verification**: The author conducted experiments on the real - time Linux kernel and the cycle - accurate CPU simulator gem5 to verify the effectiveness of these two attacks. 4. **Cross - architecture impact**: The author also discussed the applicability and potential risks of GbHammer on non - x86 architectures (such as ARMv7 and RISC - V). ### Specific problem description - **RowHammer vulnerability**: RowHammer is a vulnerability existing in DRAM chips. By repeatedly accessing the same row of DRAM cells, an attacker can cause bit flips in adjacent rows. - **Role of the global bit**: In the x86 architecture, the global bit in the PTE indicates that the address translation information can be shared between different processes. If the global bit is maliciously flipped, the attacker can use this to create a shared page and then carry out an attack. ### Solutions and challenges The paper proposes some possible mitigation measures, including: - Modifying the `mmap` system call to ignore the specified virtual address to increase the difficulty of the attack. - Modifying the loader to ignore the specified virtual address in ELF binary files, provided that these files are position - independent code (PIC). - Disabling the function of the global bit, but this may bring performance overhead and needs further evaluation. In general, this paper reveals a previously under - explored security risk and proposes corresponding defense measures, providing an important reference for future security research.