Hi Everyone,
I have been trying exploiting Rowhammer bug on ARMv8 running linux for a university project.
The device is a Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz.
First i checked the UCI bit value in the SCTLR register, and is set. So the unprivileged instructions to flush the cache are enabled.
The pseudocode is:
put addr1 into X9 put addr2 into x10 for i:= 0 to N−1 do STR X0, [X9] STR X0, [X10] DC CIVAC, X9 DC CIVAC, X10
I'm using two approaches to exploit Rh bug:
First approach is based on using unprivileged instructions to flush the cache (DC CIVAC, DC CVAC).
Using timing measurements i can get two addresses SBDR (Same Bank Different Rows) addr1 and addr2, and then i'm ready to run my rh loop:
for (int i = 0;i<HAMMER_ROUND;i++){ asm volatile( "str %2, [%0]\n\t" "str %2, [%1]\n\t" "dc cvac, %0\n\t" "dc cvac, %1\n\t" //"dsb 0xb" ::"r" (addr1), "r" (addr2), "r" (temp) ); }
The second approach is based on bypassing the cache using DC ZVA instruction.
In this case, i allocated a memory pool and set it to 0 value.
asm volatile( "dc civac, %0\n\t" "dc civac, %1\n\t" ::"r" (addr1), "r" (addr2) ); for (int j = 0; j < HAMMER_ROUND; ++j) { __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr1) :"memory"); __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr2) :"memory"); }
I have no bit flips.
My question is : am i using those instructions right ?
Thank you.
One exploit uses rowhammer-induced bit flips to gain kernel privileges on This works because DRAM cells have been getting smaller and closer together. The second runs as a normal x86-64 process on Linux and escalates which isn't useful for our exploit, so we can skip trying to use this bit flip here .