# Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology

July 8, 2016

# Overview

- Rowhammer: bit flip at a random location in DRAM
- exploitable  $\rightarrow$  gain root privileges

We are the first to

- evaluate performance of cache eviction
- perform Rowhammer attacks without clflush on many platforms
- perform fault attacks from a website using JavaScript

*"It's like breaking into an apartment by repeatedly slamming a neighbor's door until the vibrations open the door you were after" – Motherboard Vice* 



DRAM bank

row buffer











#### Impact of the CPU cache



- only non-cached accesses reach DRAM
- original attacks use clflush instruction
- $\rightarrow\,$  flush line from cache
- $\rightarrow\,$  next access will be served from DRAM





#### **DRAM** bank

Daniel Gruss, Graz University of Technology July 8, 2016

























#### Flush, reload, flush, reload...

- the core of Rowhammer is essentially a Flush+Reload loop
- as much an attack on DRAM as on cache

- idea: avoid clflush to be independent of specific instructions  $\rightarrow$  no clflush in JavaScript

- idea: avoid clflush to be independent of specific instructions  $\rightarrow$  no clflush in JavaScript

- our approach: use regular memory accesses for eviction
  - $\rightarrow$  techniques from cache attacks!

- idea: avoid clflush to be independent of specific instructions  $\rightarrow$  no clflush in JavaScript
- our approach: use regular memory accesses for eviction
  - $\rightarrow$  techniques from cache attacks!
  - $\rightarrow$  Rowhammer, Prime+Probe style!




















8



8



8



### Requirements for Rowhammer

- 1. uncached memory accesses: need to reach DRAM
- 2. fast memory accesses: race against the next row refresh

### Requirements for Rowhammer

- 1. uncached memory accesses: need to reach DRAM
- 2. fast memory accesses: race against the next row refresh
- ightarrow optimize the eviction rate and the timing

- 1. how to get accurate timing in JS?
- 2. how to get physical addresses in JS?
- 3. which physical addresses to access?
- 4. in which order to access them?

- 1. how to get accurate timing in JS?  $\rightarrow$  easy
- 2. how to get physical addresses in JS?
- 3. which physical addresses to access?
- 4. in which order to access them?

- 1. how to get accurate timing in JS?  $\rightarrow$  easy
- 2. how to get physical addresses in JS?  $\rightarrow$  easy
- 3. which physical addresses to access?
- 4. in which order to access them?

- 1. how to get accurate timing in JS?  $\rightarrow$  easy
- 2. how to get physical addresses in JS?  $\rightarrow$  easy
- 3. which physical addresses to access?  $\rightarrow$  already solved
- 4. in which order to access them?

- 1. how to get accurate timing in JS?  $\rightarrow$  easy
- 2. how to get physical addresses in JS?  $\rightarrow$  easy
- 3. which physical addresses to access?  $\rightarrow$  already solved
- 4. in which order to access them?  $\rightarrow$  our contribution

# Challenge #1: accurate timing in JavaScript?

native code: rdtsc

JavaScript: window.performance.now()

# Challenge #1: accurate timing in JavaScript?

- native code: rdtsc
- JavaScript: window.performance.now()
- recent patch: time rounded to 5 microseconds
- still works: we measure millions of accesses

# Challenge #2: physical addresses and JavaScript

- OS optimization: use 2MB pages
- last 21 bits (2MB) of physical address
- Iast 21 bits (2MB) of virtual address

# Challenge #2: physical addresses and JavaScript

- OS optimization: use 2MB pages
- last 21 bits (2MB) of physical address
- Iast 21 bits (2MB) of virtual address
- I ast 21 bits (2MB) of JS array indices Gruss et al. 2015

# Challenge #2: physical addresses and JavaScript

- OS optimization: use 2MB pages
- last 21 bits (2MB) of physical address
- Iast 21 bits (2MB) of virtual address
- I ast 21 bits (2MB) of JS array indices Gruss et al. 2015
- several DRAM rows per 2MB page
- several congruent addresses per 2MB page

# Challenge #3: physical addresses and DRAM

- fixed map: physical addresses  $\rightarrow$  DRAM cells
- undocumented for Intel CPUs
- reverse-engineered for Sandy Bridge Seaborn 2015
- and by us for Sandy, Ivy, Haswell, Skylake, ... Pessl et al. 2016 (to appear)

## Challenge #3: physical addresses and cache sets

- fixed map: physical addresses  $\rightarrow$  cache sets
- undocumented for Intel CPUs but reverse-engineered Maurice et al. 2015



"LRU eviction" memory accesses on older CPUs



LRU replacement policy: oldest entry first



- LRU replacement policy: oldest entry first
- timestamps for every cache line



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp



- LRU replacement policy: oldest entry first
- timestamps for every cache line
- access updates timestamp

"LRU eviction" memory accesses



"LRU eviction" memory accesses



"LRU eviction" memory accesses



"LRU eviction" memory accesses



"LRU eviction" memory accesses



"LRU eviction" memory accesses



"LRU eviction" memory accesses


"LRU eviction" memory accesses



no LRU replacement on recent CPUs

"LRU eviction" memory accesses



no LRU replacement on recent CPUs

"LRU eviction" memory accesses



- no LRU replacement on recent CPUs
- only 75% success rate on Haswell

"LRU eviction" memory accesses



- no LRU replacement on recent CPUs
- only 75% success rate on Haswell
- more accesses  $\rightarrow$  higher success rate, but too slow

### Cache eviction strategies: The beginning



 $\rightarrow$  fast and effective on Haswell: eviction rate  ${>}99.97\%$ 

## Cache eviction strategy: New representation

represent accesses as a sequence of numbers: 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4, ...

- can be a long sequence
- all congruent addresses are indistinguishable w.r.t eviction strategy

## Cache eviction strategy: New representation

- represent accesses as a sequence of numbers: 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4, ...
- can be a long sequence
- all congruent addresses are indistinguishable w.r.t eviction strategy
- ightarrow adding more unique addresses can increase eviction rate
- $\rightarrow$  multiple accesses to one address can increase the eviction rate
  - $\hfill \$  indistinguishable  $\rightarrow \hfill \$  halanced number of accesses

Write eviction strategies as: P-C-D-L-S

S: total number of different addresses (= set size)







■ 
$$P$$
-2-2-1-4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4 →  $S = 4$ 

■  $P-2-2-1-4 \rightarrow (1, 2, (1, 2), (2, 3), (2, 3), (3, 4), (3, 4) \rightarrow S = 4$ 

■ 
$$P - 2 - 2 - 1 - 4 \rightarrow (1, 2), (1, 2), (2, 3), (2, 3), (3, 4), (3, 4) = 4$$
  
 $D = 2$ 

$$P - 2 - 2 - 1 - 4 \rightarrow 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4 \qquad S = 4$$

$$P - 2 - 2 - 1 - 4 \rightarrow 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4 \qquad S = 4$$

$$L = 1 \qquad D = 2 \qquad C = 2$$

$$P-2-2-1-4 \rightarrow 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4 = S = 4$$

$$L = 1 \qquad D = 2 \qquad C = 2$$

• P-1-1-1-4  $\rightarrow$  1, 2, 3, 4  $\rightarrow$  LRU eviction with set size 4

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         |               |           |
| <i>P</i> -1-1-1-20 | 20         |               |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      |           |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         |               |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      | 191 ns 🗸  |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      | 191 ns 🗸  |
| <i>P</i> -2-2-1-17 | 64         |               |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      | 191 ns 🗸  |
| <i>P</i> -2-2-1-17 | 64         | 99.98% 🗸      |           |

Executed in a loop, on a Haswell with a 16-way last-level cache

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      | 191 ns 🗸  |
| <i>P</i> -2-2-1-17 | 64         | 99.98% 🗸      | 180 ns 🗸  |

Executed in a loop, on a Haswell with a 16-way last-level cache

We evaluated more than 10000 strategies...

| strategy           | # accesses | eviction rate | loop time |
|--------------------|------------|---------------|-----------|
| <i>P</i> -1-1-1-17 | 17         | 74.46% 🗡      | 307 ns 🗸  |
| <i>P</i> -1-1-1-20 | 20         | 99.82% 🗸      | 934 ns 🗡  |
| <i>P</i> -2-1-1-17 | 34         | 99.86% 🗸      | 191 ns 🗸  |
| <i>P</i> -2-2-1-17 | 64         | 99.98% 🗸      | 180 ns 🗸  |

 $\rightarrow$  more accesses, smaller execution time?

Executed in a loop, on a Haswell with a 16-way last-level cache

P-1-1-1-17 (17 accesses, 307ns)

#### P-2-1-1-17 (34 accesses, 191ns)

#### P-1-1-1-17 (17 accesses, 307ns)



#### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss       | Miss       |
|------------|------------|
| (intended) | (intended) |

#### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н |  |
|--------------------|--------------------|---|--|
|--------------------|--------------------|---|--|

#### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

#### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

#### P-2-1-1-17 (34 accesses, 191ns)


#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

## P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

## P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

## P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss |
|--------------------|--------------------|---|------|
|--------------------|--------------------|---|------|

## P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss | Miss |
|--------------------|--------------------|---|------|------|
|--------------------|--------------------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss |
|------------------------------------|---|------|------|
|------------------------------------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss |
|------------------------------------|---|------|------|
|------------------------------------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss |
|------------------------------------|---|------|------|
|------------------------------------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)



#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Miss (intended) HHHHHHHH Miss HH | ынынын |
|---------------------------------------|--------|
|---------------------------------------|--------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss |
|------------------------------------|---|------|------|------|
|------------------------------------|---|------|------|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Miss (intended) | HIHHHHHHH Miss | HHHHHHHH Miss |
|----------------------|----------------|---------------|
|----------------------|----------------|---------------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss<br>(intended) | Miss<br>(intended) | нынынын | Miss | нынынын | Miss |
|--------------------|--------------------|---------|------|---------|------|
|--------------------|--------------------|---------|------|---------|------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Miss (intended) HHHHHHHHH | Miss HIHHHHHH Miss H |
|--------------------------------|----------------------|
|--------------------------------|----------------------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Miss<br>(intended) (intended) | ныныныны | Miss | нөнөнөн | Miss HIH |
|------------------------------------|----------|------|---------|----------|
|------------------------------------|----------|------|---------|----------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss<br>(intended) | Miss<br>(intended) | нынынын | Miss | нынынын | Miss HHH |
|--------------------|--------------------|---------|------|---------|----------|
|--------------------|--------------------|---------|------|---------|----------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Miss<br>(intended) (intended) | ł | ++ | ł | +++ |  | н | н | н |  | Miss | • | -1 | н | н | н |  | H | 41+ | ł | H |  | Miss |  | - | н |  | + | 1 |
|------------------------------------|---|----|---|-----|--|---|---|---|--|------|---|----|---|---|---|--|---|-----|---|---|--|------|--|---|---|--|---|---|
|------------------------------------|---|----|---|-----|--|---|---|---|--|------|---|----|---|---|---|--|---|-----|---|---|--|------|--|---|---|--|---|---|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss<br>(intended) | Miss<br>(intended) | нынынын | Miss | нынынын | Miss | нынны |
|--------------------|--------------------|---------|------|---------|------|-------|
|--------------------|--------------------|---------|------|---------|------|-------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss (intended) | н | Miss | Miss | Miss | н | Miss |
|----------------------|---|------|------|------|---|------|
|----------------------|---|------|------|------|---|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss<br>(intended) | Miss<br>(intended) | нн | н | ++ | нн | н | Miss |  | н | н | н | н | н | н | н | н | Miss | • | -10 |  | +++ | 40 |  | 4 |  |
|--------------------|--------------------|----|---|----|----|---|------|--|---|---|---|---|---|---|---|---|------|---|-----|--|-----|----|--|---|--|
|--------------------|--------------------|----|---|----|----|---|------|--|---|---|---|---|---|---|---|---|------|---|-----|--|-----|----|--|---|--|

### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss | н | Miss | Miss |
|------------------------------------|---|------|------|------|---|------|------|
|------------------------------------|---|------|------|------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss<br>(intended) | Miss<br>(intended) | нынынын | Miss | нөнөнөнө | Miss | нынынын |
|--------------------|--------------------|---------|------|----------|------|---------|
|--------------------|--------------------|---------|------|----------|------|---------|

### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended) | н | Miss | Miss | Miss | н | Miss | Miss |
|------------------------------------|---|------|------|------|---|------|------|
|------------------------------------|---|------|------|------|---|------|------|

### P-2-1-1-17 (34 accesses, 191ns)

| Miss Mis<br>(intended) (intend | s<br>Ied) HHHHHHHH | Miss | нынынын | Miss | нананан |
|--------------------------------|--------------------|------|---------|------|---------|
|--------------------------------|--------------------|------|---------|------|---------|

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) (intended) role-between Miss role-between Miss

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Mas (interded) which development Mas wheeled of the Mas wheeled of the

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Mas Mas (ritended) Potrological Mas Potrological Mas Potrological Mas

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) (intended) Host Host Miss Host Host Miss Host Miss Host Miss Host Miss Host Miss Host Miss Host Miss

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Mas (interded) Hold - Hold - Hold - Mas Hold - Hold

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | н | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|---|------|------|------|
|--------------------|--------------------|--------|------|------|---|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss released Miss related to Miss rel

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss Miss<br>(intended) (intended | н | Miss | Miss | Miss | н | Miss | Miss | Miss | н |
|-----------------------------------|---|------|------|------|---|------|------|------|---|
|-----------------------------------|---|------|------|------|---|------|------|------|---|

#### P-2-1-1-17 (34 accesses, 191ns)

Mas (mended) whether Mas wheth

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | l Miss | Miss | Miss | H Miss | Miss | Miss | H Miss |
|--------------------|--------------------|--------|------|------|--------|------|------|--------|
|--------------------|--------------------|--------|------|------|--------|------|------|--------|

### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss released Miss related to Miss rel

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | H Miss | Miss | Miss | H Miss | Miss |
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss interference Miss interference

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | H Miss | Miss | Miss | H Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether the production of Miss reduction Miss reduction of Miss whether

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | H Miss | Miss | Miss | H Miss | Miss | Miss | н |
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|---|
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|---|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss interference Miss interference

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | н | Miss | Miss | Miss | н | Miss | Miss | Miss | н | Miss | Miss | Miss | н | Miss |
|--------------------|--------------------|---|------|------|------|---|------|------|------|---|------|------|------|---|------|
|--------------------|--------------------|---|------|------|------|---|------|------|------|---|------|------|------|---|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss retreated Miss retreated Miss retreated Miss retreated and Miss whether
#### Cache eviction strategies: Illustration

#### P-1-1-1-17 (17 accesses, 307ns)

| Miss<br>(intended) | Miss<br>(intended) | H Miss | Miss | Miss | H Miss | Miss | Miss | H Miss | Miss | Miss | Miss | Miss |
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|------|------|
|--------------------|--------------------|--------|------|------|--------|------|------|--------|------|------|------|------|

#### P-2-1-1-17 (34 accesses, 191ns)

Miss (intended) whether Miss interded Miss interded Miss interded Miss interded

Time in ns

#### Execution time vs. bit flips



 $\rightarrow$  low execution time is better.

Daniel Gruss, Graz University of Technology July 8, 2016

#### Eviction rate vs. bit flips



 $\rightarrow$  high eviction rate is better. Average: 73.96%.

Daniel Gruss, Graz University of Technology July 8, 2016

#### Eviction strategies on Haswell

Table: The fastest 5 eviction strategies with an eviction rate above 99.75% compared to clflush and LRU eviction on Haswell.

| С | D | L | S  | Accesses | Hits | Misses | Time (ns) | Eviction |
|---|---|---|----|----------|------|--------|-----------|----------|
| - | - | - | -  | -        | 2    | 2      | 60        | 99.9999% |
| 5 | 2 | 2 | 18 | 90       | 34   | 4      | 179       | 99.9624% |
| 2 | 2 | 1 | 17 | 64       | 35   | 5      | 180       | 99.9820% |
| 2 | 1 | 1 | 17 | 34       | 47   | 5      | 191       | 99.8595% |
| 6 | 2 | 2 | 18 | 108      | 34   | 5      | 216       | 99.9365% |
| 1 | 1 | 1 | 17 | 17       | 96   | 13     | 307       | 74.4593% |
| 4 | 2 | 2 | 20 | 80       | 41   | 23     | 329       | 99.7800% |
| 1 | 1 | 1 | 20 | 20       | 187  | 78     | 934       | 99.8200% |

#### Evaluation on Haswell



Figure: Number of bit flips within 15 minutes.

OS groups pages / page tables into 2 MB frames

- OS groups pages / page tables into 2 MB frames
- ightarrow Page tables never in a DRAM row between two code/data pages

- OS groups pages / page tables into 2 MB frames
- ightarrow Page tables never in a DRAM row between two code/data pages
  - unless system is almost out of memory

- OS groups pages / page tables into 2 MB frames
- ightarrow Page tables never in a DRAM row between two code/data pages
  - unless system is almost out of memory
  - hard to get there without crashing the browser

- OS groups pages / page tables into 2 MB frames
- ightarrow Page tables never in a DRAM row between two code/data pages
  - unless system is almost out of memory
  - hard to get there without crashing the browser
- $\rightarrow\,$  new hammering technique: amplified single-sided hammering











#### DRAM bank

Daniel Gruss, Graz University of Technology July 8, 2016

28

















trigger bit flips page tables in adjacent 2 MB regions

- trigger bit flips page tables in adjacent 2 MB regions
- no near-out-of-memory situation

- trigger bit flips page tables in adjacent 2 MB regions
- no near-out-of-memory situation
- try until memory mappings changed
  - = bit flip in your own page tables

- trigger bit flips page tables in adjacent 2 MB regions
- no near-out-of-memory situation
- try until memory mappings changed
  - = bit flip in your own page tables
- try until your own page tables are mapped

- trigger bit flips page tables in adjacent 2 MB regions
- no near-out-of-memory situation
- try until memory mappings changed
  - = bit flip in your own page tables
- try until your own page tables are mapped
  - = full access to all physical memory

## Reliable exploits based on Rowhammer.js?

- "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector" by Bosman et al. 2016 at IEEE S&P'16
- clever attack exploiting memory deduplication and Rowhammer
- reliable exploit on Microsoft Edge

#### Conclusions

- cache eviction fast enough to replace clflush
- independent of programming language and available instructions
- first remote fault attack, from a browser

# Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology

July 8, 2016

# Bibliography

Bosman, Erik et al. (2016). "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector". In: S&P'16.
Gruss, Daniel et al. (2015). "Practical Memory Deduplication Attacks in Sandboxed Javascript". In: ESORICS'15.
Maurice, Clémentine et al. (2015). "Reverse Engineering Intel Complex Addressing Using Performance Counters". In: RAID.
Pessl, Peter et al. (2016 (to appear)). "DRAMA: Exploiting DRAM Addressing for

Cross-CPU Attacks". In: USENIX Security Symposium.

Seaborn, Mark (2015). How physical addresses map to rows and banks in DRAM. http://lackingrhoticity.blogspot.com/2015/05/how-physicaladdresses-map-to-rows-and-banks.html. Retrieved on July 20, 2015.