Jump to content
Aerosol

Rowhammer: NaCl Sandbox Escape PoC

Recommended Posts

Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=284

Full PoC: http://www.exploit-db.com/sploits/36311.tar.gz


This is a proof-of-concept exploit that is able to escape from Native
Client's x86-64 sandbox on machines that are susceptible to the DRAM
"rowhammer" problem. It works by inducing a bit flip in read-only
code so that the code is no longer safe, producing instruction
sequences that wouldn't pass NaCl's x86-64 validator.

Note that this uses the CLFLUSH instruction, so it doesn't work in
newer versions of NaCl where this instruction is disallowed by the
validator.

There are two ways to test the exploit program without getting a real
rowhammer-induced bit flip:

* Unit testing: rowhammer_escape_test.c can be compiled and run as a
Linux executable (instead of as a NaCl executable). In this case,
it tests each possible bit flip in its code template, checking that
each is handled correctly.

* Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch"
modifies NaCl's dyncode_create() syscall to inject a bit flip for
testing purposes. This syscall is NaCl's interface for loading
code dynamically.

Mark Seaborn
mseaborn@chromium.org
March 2015

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...