Drammer: Deterministic Rowhammer Attacks on Mobile Platforms Victor van der Veen Yanick Fratantonio Martina Lindorfer Vrije Universiteit Amsterdam UC Santa Barbara UC Santa Barbara
[email protected] [email protected] [email protected] Daniel Gruss Clémentine Maurice Giovanni Vigna Graz University of Technology Graz University of Technology UC Santa Barbara
[email protected] [email protected] [email protected] Herbert Bos Kaveh Razavi Cristiano Giuffrida Vrije Universiteit Amsterdam Vrije Universiteit Amsterdam Vrije Universiteit Amsterdam
[email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Recent work shows that the Rowhammer hardware bug can The Rowhammer hardware bug allows an attacker to mod- be used to craft powerful attacks and completely subvert a ify memory without accessing it, simply by repeatedly ac- system. However, existing efforts either describe probabilis- cessing, i.e., \hammering", a given physical memory loca- tic (and thus unreliable) attacks or rely on special (and often tion until a bit in an adjacent location flips. Rowhammer unavailable) memory management features to place victim has been used to craft powerful attacks that bypass all cur- objects in vulnerable physical memory locations. Moreover, rent defenses and completely subvert a system [16,32,35,47]. prior work only targets x86 and researchers have openly won- Until now, the proposed exploitation techniques are either dered whether Rowhammer attacks on other architectures, probabilistic [16,35] or rely on special memory management such as ARM, are even possible. features such as memory deduplication [32], MMU paravir- We show that deterministic Rowhammer attacks are feasi- tualization [47], or the pagemap interface [35].