Rowhammer bug on ARMv8

Hi Everyone,

I have been trying exploiting Rowhammer bug on ARMv8 running linux for a university project.

The device is a Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz.

First i checked the UCI bit value in the SCTLR register, and is set. So the unprivileged instructions to flush the cache are enabled.

The pseudocode  is:

put addr1 into X9
put addr2 into x10
for i:= 0 to N−1 do
    STR X0, [X9]
    STR X0, [X10]
    DC CIVAC, X9
    DC CIVAC, X10

I'm using two approaches to exploit Rh bug:

First approach is based on using unprivileged instructions to flush the cache (DC CIVAC, DC CVAC).

Using timing measurements  i can get two addresses SBDR (Same Bank Different Rows) addr1 and addr2, and then i'm ready to run my rh loop:

for (int i = 0;i<HAMMER_ROUND;i++){
    asm volatile(
    "str %2, [%0]\n\t"
    "str %2, [%1]\n\t"
    "dc cvac, %0\n\t"
	"dc cvac, %1\n\t"
	//"dsb 0xb"
	::"r" (addr1),
	"r" (addr2),
	"r" (temp)

The second approach is based on bypassing the cache using DC ZVA instruction.

In this case, i allocated a memory pool and set it to 0 value.

asm volatile(
    "dc civac, %0\n\t"
    "dc civac, %1\n\t"
    ::"r" (addr1), "r" (addr2)
for (int j = 0; j < HAMMER_ROUND; ++j) {
    __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr1) :"memory");
    __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr2) :"memory");

I have no bit flips.

My question is : am i using those instructions right ?

Thank you.

  • One exploit uses rowhammer-induced bit flips to gain kernel privileges on ... This works because DRAM cells have been getting smaller and closer together. ... The second runs as a normal x86-64 process on Linux and escalates ... which isn't useful for our exploit, so we can skip trying to use this bit flip.

More questions in this forum