Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

by Mark Seaborn, Halvar Flake "Rowhammer" is a problem with DRAM in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. While the industry has known about the problem for a while and has started mitigating the problem in newer hardware, it was rarely mentioned in public until the publication of Yoongu Kim et al's paper in the summer of 2014 which included hard data about the prevalence of the problem. In spite of the paper's speculations about the exploitability of the issue, most people still classified rowhammer as only a reliability issue - the probabilistic aspect of the problem seems to have made people think exploitability would be impractical. We have shown that rowhammer is practically exploitable in real-world scenarios - both in-browser through NaCl, and outside of the browser to escalate to kernel privileges. The probabilistic aspect can be effectively tamed so that the problem can be reliably exploited. Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue. We will discuss the details of our two exploits cause and use bit flips, and how the rowhammer problem can be mitigated. We will explore whether it is possible to cause row hammering using normal cached memory accesses.