On Fri, Dec 26, 2014 at 03:06:31AM +0600, Артур Истомин wrote: > https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf > > Abstract. > > Memory isolation is a key property of a reliable and secure computing > system-an access to one memory address should not have unintended side > effects on data stored in other addresses. However, as DRAM process > technology scales down to smaller dimensions, it becomes more difficult to > prevent DRAM cells from electrically interacting with each other. In this > paper, we expose the vulnerability of commodity DRAM chips to disturbance > errors. By reading from the same address in DRAM, we show that it is possible > to corrupt data in nearby addresses. More specifically, activating the same > row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on > Intel and AMD systems using a malicious program that generates many DRAM > accesses. We induce errors in most DRAM modules (110 out of 129) from three > major DRAM manufacturers. From this we conclude that many deployed systems > are likely to be at risk. We identify the root cause of disturbance errors as > the repeated toggling o! f ! > a DRAM row's wordline, which stresses inter-cell coupling effects that > accelerate charge leakage from nearby rows. We provide an extensive > characterization study of disturbance errors and their behavior using an > FPGA-based testing platform. Among our key findings, we show that (i) it > takes as few as 139K accesses to induce an error and (ii) up to one in every > 1.7K cells is susceptible to errors. After examining various potential ways > of addressing the problem, we propose a low-overhead solution to prevent the > errors. > > Example: > http://blog.sudhanshumishra.in/2014/12/memory-error-due-to-charge-leak.html > Tester (built on top of memtest): https://github.com/CMU-SAFARI/rowhammer > LKML discussion: https://lkml.org/lkml/2014/12/24/258 > >
And now practical realisation: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html Excerpt: “Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
