Graduate School and Research Center in Digital Sciences

GuardION: Practical mitigation of DMA-based rowhammer attacks on ARM

van der Veen, Victor; Lindorfer, Martina; Fratantonio, Yanick; Padmanabha Pillai, Harikrishnan; Vigna, Giovanni; Kruegel, Christopher; Bos, Herbert; Razavi, Kaveh

DIMVA 2018, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 28-29 June 2018, Paris, France / Also published in Lecture Notes in Computer Science, Vol.10885, Springer

Pwnie Award Nomination for Best Privilege Escalation Bug 2018

Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability. Since hardware-level mitigations cannot be backported, a search for software defenses is pressing. Proposals made by both academia and industry, however, are either impractical to deploy, or insufficient in stopping all attacks: we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses. To mitigate Rowhammer exploitation on ARM, we propose guardion, a lightweight defense that prevents DMA-based attacks--the main attack vector on mobile devices--by isolating DMA buffers with guard rows. We evaluate guardion on 22 benchmark apps and show that it has a negligible memory overhead (2.2 MB on average). We further show that we can improve system performance by re-enabling higher order allocations after Google disabled these as a reaction to previous attacks.

Document Doi Bibtex

Title:GuardION: Practical mitigation of DMA-based rowhammer attacks on ARM
Type:Conference
Language:English
City:Paris
Country:FRANCE
Date:
Department:Digital Security
Eurecom ref:5595
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in DIMVA 2018, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 28-29 June 2018, Paris, France / Also published in Lecture Notes in Computer Science, Vol.10885, Springer and is available at : http://doi.org/10.1007/978-3-319-93411-2_5
Bibtex: @inproceedings{EURECOM+5595, doi = {http://doi.org/10.1007/978-3-319-93411-2_5}, year = {2018}, title = {{G}uard{ION}: {P}ractical mitigation of {DMA}-based rowhammer attacks on {ARM}}, author = {van der {V}een, {V}ictor and {L}indorfer, {M}artina and {F}ratantonio, {Y}anick and {P}admanabha {P}illai, {H}arikrishnan and {V}igna, {G}iovanni and {K}ruegel, {C}hristopher and {B}os, {H}erbert and {R}azavi, {K}aveh}, booktitle = {{DIMVA} 2018, {I}nternational {C}onference on {D}etection of {I}ntrusions and {M}alware, and {V}ulnerability {A}ssessment, 28-29 {J}une 2018, {P}aris, {F}rance / {A}lso published in {L}ecture {N}otes in {C}omputer {S}cience, {V}ol.10885, {S}pringer }, address = {{P}aris, {FRANCE}}, month = {06}, url = {http://www.eurecom.fr/publication/5595} }
See also: