Search the Community

This is a proof-of-concept exploit that is able to escape from Native Client's x86-64 sandbox on machines that are susceptible to the DRAM "rowhammer" problem. It works by inducing a bit flip in read-only code so that the code is no longer safe, producing instruction sequences that wouldn't pass NaCl's x86-64 validator. Note that this uses the CLFLUSH instruction, so it doesn't work in newer versions of NaCl where this instruction is disallowed by the validator. Download

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=284 Full PoC: http://www.exploit-db.com/sploits/36311.tar.gz This is a proof-of-concept exploit that is able to escape from Native Client's x86-64 sandbox on machines that are susceptible to the DRAM "rowhammer" problem. It works by inducing a bit flip in read-only code so that the code is no longer safe, producing instruction sequences that wouldn't pass NaCl's x86-64 validator. Note that this uses the CLFLUSH instruction, so it doesn't work in newer versions of NaCl where this instruction is disallowed by the validator. There are two ways to test the exploit program without getting a real rowhammer-induced bit flip: * Unit testing: rowhammer_escape_test.c can be compiled and run as a Linux executable (instead of as a NaCl executable). In this case, it tests each possible bit flip in its code template, checking that each is handled correctly. * Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch" modifies NaCl's dyncode_create() syscall to inject a bit flip for testing purposes. This syscall is NaCl's interface for loading code dynamically. Mark Seaborn mseaborn@chromium.org March 2015 Source