IAIK/rowhammerjs IAIK/rowhammerjs

  • Stars
    star
    500
  • Rank 88,178 (Top 2 %)
  • Language
    C++
  • Created over 9 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
IAIK/rowhammerjs
github

IAIK

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rowhammer.js - A Remote Software-Induced Fault Attack in JavaScript

Program for testing for the DRAM "rowhammer" problem using eviction

See https://github.com/google/rowhammer-test - this is an adaption of the ''double_sided_rowhammer'' program from their repository.

Also see our paper ''Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript'': https://scholar.google.at/citations?view_op=view_citation&hl=de&user=JmCg4uQAAAAJ&citation_for_view=JmCg4uQAAAAJ:tOudhMTPpwUC

How to run the native eviction-based rowhammer test

cd native
make
./double_sided_rowhammer_ivy -d 1 # -d number of dimms
# or
./double_sided_rowhammer_haswell -d 1 # -d number of dimms

The test should work on x86-64 Linux.

If you have found a reproducible bitflip, look for the ''Print this for the watch_firefox tool'' comment.

Find the array indices for specific physical addresses

Edit tools/watch_firefox.cc to contain the addresses from your native eviction-based rowhammer test.

Start firefox with rowhammer.html

cd tools
make
./watch_firefox

The program outputs physical address mappings and the time since the last allocation. Based on this and the virtual address printed you can determine where the array starts.

Allocate memory in a large array in JavaScript. If using ''rowhammer.html'': Click the ''Allocate'' button.

If you have much noise before you press the button, just restart ''watch_firefox'' and try again.

As soon as it has found the indices it asks you to enter the virtual address of the array start. This is not yet automated.

The program prints the array indices to use in JavaScript. In case of ''rowhammer.html'' just copy them into the editbox and click ''Parse''. Then you can start Hammering.

rowhammer.html / rowhammer.js

In the ''javascript'' folder you find the Rowhammer.js version for Haswell CPUs with a 16-way L3 cache and no L4 cache ''rowhammer.html''. It will probably not work on other CPUs without modifications.

Open ''rowhammer.html'' in a browser, paste the hammering array indices in the editbox (you can use the ''watch_firefox'' program for this).

You can modify ''rowhammer.js'' while the page is still loaded and click the ''Refresh'' button to only reload the ''rowhammer.js'' file. This way you keep the array and the array indices and you can experiment with different settings while not having to search for the array indices anew.

Javascript-only Variant

Also, in the ''javascript'' folder you will find the ''rowhammer_scan.html''. It is the pure JavaScript proof-of-concept for Haswell CPUs with a 16-way L3 cache and no L4 cache, memory in single-channel mode (this is the case if you have only one DIMM). Furthermore, it assumes that JavaScript memory is physically contiguous in blocks of 2 megabytes - this is the case if your OS allocates 2M anonymous pages (all our Linux systems do) or if it allocates physically contiguous 4K pages. It will probably not work on other systems without modifications.

Open ''rowhammer_scan.html'' in a browser. Click the ''Allocate'' button. Wait a second to let Firefox allocate memory and click ''Hammer'' to start the hammering.

For reference we have added a screenshot: Screenshot of rowhammer_scan.html

You can modify ''rowhammer_scan.js'' while the page is still loaded and click the ''Refresh'' button to only reload the ''rowhammer.js'' file. This way you keep the array and the array indices and you can experiment with different settings while not having to allocate the array anew.

This version is not adaptive to all CPUs. As we said in the paper, the eviction strategy finding algorithm is very slow. We still try different optimizations and we will evaluate it's performance. However, there is not much use in doing this search in JavaScript as it takes hours and there is not much benefit once you know the strategy. A more realistic adaptive approach would be to try different strategies that are already known to work on some CPUs. This way you can find the right strategy adaptively without having to execute the generic eviction strategy finding algorithm. However, if you like to try, you will find the ''cached'' function already implemented in the ''rowhammer_scan.js''.

Warnings

Same warnings as in the original https://github.com/google/rowhammer-test repository:

Warning #1: We are providing this code as-is. You are responsible for protecting yourself, your property and data, and others from any risks caused by this code. This code may cause unexpected and undesirable behavior to occur on your machine. This code may not detect the vulnerability on your machine.

Be careful not to run this test on machines that contain important data. On machines that are susceptible to the rowhammer problem, this test could cause bit flips that crash the machine, or worse, cause bit flips in data that gets written back to disc.

Warning #2: If you find that a computer is susceptible to the rowhammer problem, you may want to avoid using it as a multi-user system. Bit flips caused by row hammering breach the CPU's memory protection. On a machine that is susceptible to the rowhammer problem, one process can corrupt pages used by other processes or by the kernel.

Additionally, if your computer is susceptible to the rowhammer bug, disable JavaScript in your browser! Attackers could exploit this bug through JavaScript and take control over your machine.

More Repositories

1

meltdown

This repository contains several applications, demonstrating the Meltdown bug.
C
4,111
star
2

ZombieLoad

Proof-of-concept for the ZombieLoad attack
C
812
star
3

armageddon

This repository contains tools to perform modern cache attacks on ARM.
C
281
star
4

CJAG

CJAG is an open-source implementation of our cache-based jamming agreement.
C
281
star
5

KAISER

Kernel Address Isolation to have Side-channels Efficiently Removed
214
star
6

sgxrop

The code to the SGX-ROP paper
C
183
star
7

drama

This repository contains examples of DRAMA reverse-engineering and side-channel attacks
C++
170
star
8

transientfail

Website and PoC collection for transient execution attacks
C
168
star
9

flush_flush

This repository contains examples of Flush+Flush cache attacks
C
153
star
10

ChromeZero

Google Chrome extension implementing JavaScript Zero
JavaScript
149
star
11

cache_template_attacks

This repository contains several tools to perform Cache Template Attacks
C
141
star
12

merkle-tree

A C implementation of a dynamically resizeable binary SHA-256 hash tree (Merkle Tree).
C
128
star
13

sweb

SWEB Educational OS
C++
115
star
14

AEPIC

C
113
star
15

ios-analysis

Automated Binary Analysis on iOS
Shell
107
star
16

Picnic

Optimized implementation of the Picnic signature scheme
C
78
star
17

prefetch

This repository contains several tools to perform Prefetch Side-Channel Attacks
C
57
star
18

SLUBStick

C
56
star
19

jstemplate

JavaScript Template Attack proof-of-concept implementation
HTML
52
star
20

hybrid-HE-framework

C
39
star
21

msrevelio

C++
35
star
22

flipfloyd

Tools for "Another Flip in the Wall"
C
34
star
23

secure-block-device

The Secure Block Device Library is a software library that applies cryptographic confidentiality and integrity protection, including data freshness, to arbitrary block device like storage mechanisms.
C
34
star
24

SnailLoad

C
32
star
25

interruptjs

Practical Keystroke Timing Attacks in Sandboxed JavaScript
HTML
31
star
26

pairings_in_c

C library for bilinear pairings
C
26
star
27

memsec

Framework for building transparent memory encryption and authentication solutions
VHDL
25
star
28

CollidePower

C
22
star
29

keydrown

Eliminating Keystroke Timing Attacks
C
21
star
30

gzkbpp

Implementation of the ZKB++ proof system
C++
20
star
31

Chestnut

C
20
star
32

coco-alma

CocoAlma is an execution-aware tool for formal verification of masked implementations
Python
20
star
33

ascon_hardware

Hardware implementations of the authenticated encryption design ASCON
VHDL
19
star
34

flecc_in_c

FLECC_IN_C is a FLexible Elliptic Curve Cryptography library written IN C
Scilab
18
star
35

ProcHarvester

ProcHarvester - Fully Automated Analysis of Procfs Side-Channel Leaks on Android
Java
17
star
36

drawio2tikz

drawio2tikz - a tool to translate drawio xml files to readable and adaptable tikz code
Python
16
star
37

Donky

C
14
star
38

fish-begol

Implementation of the Fish and Begol signature schemes
C
13
star
39

halfdouble

C++
12
star
40

marvellous-attacks

Attacks on Jarvis and Friday
Python
10
star
41

Jenny

C
10
star
42

SCAnDroid

Java
9
star
43

Memory-Compression-Attacks

Memory Compression Attacks
C
9
star
44

data-gui

DATA GUI
Python
9
star
45

sgxjail

Makefile
8
star
46

ios-analysis-llvmslicer

C++
7
star
47

LayeredBinaryTemplating

Layered Binary Templating
Python
7
star
48

CoronaHeatMap

C++
7
star
49

CryptoSlice

Static Analysis of Cryptography in Android Applications
Java
7
star
50

wolfSSL-DoS

Proof of concept for denial of service attack on wolfSSL's DTLS server implementation.
C
7
star
51

FLARE

C
6
star
52

coco-ibex

SystemVerilog
5
star
53

CryptoTL

C++
5
star
54

CacheSim

C++
5
star
55

CSIRowhammer

CSI:Rowhammer - Cryptographic Security and Integrity against Rowhammer
C
5
star
56

CrySIL

JavaScript
4
star
57

LVI-NULLify

C
4
star
58

contextlight

The PoC for ConTExT-light
C
4
star
59

rebecca

REBECCA is a tool for the formal verification of masked cryptographic hardware implementations that, given the netlist of a masked hardware circuit, determines if a correct separation between shares is preserved throughout the circuit.
Verilog
4
star
60

libdropit

Proof-of-concept implementation of DropIt
C
3
star
61

daps-dl

Short DAPS from ECDSA in OpenSSL
C
3
star
62

TBIBS

Time-bound identity-based signatures (TBIBΣ) for Short-Lived Forward-Secure Delegation in TLS
Java
3
star
63

romulush_collisions

TeX
3
star
64

Picnic-FPGA

FPGA implementation of Picnic and LowMC
VHDL
3
star
65

spearv

C
3
star
66

rainier-signatures

C++
2
star
67

bnpp_helium_signatures

C++
2
star
68

minefield

C++
2
star
69

trusted-location-based-services

Prototype 1, Prototype 2 and base components for Trusted Location Based Services on Android devices.
Java
2
star
70

Remote-Memory-Deduplication-Attacks

Remote Page Deduplication Attacks
Python
2
star
71

ios-analysis-dagger

C++
2
star
72

servas

1
star
73

sgxjail-sdk

Implementation of SGXJail in the Linux SGX SDK
C++
1
star
74

banquet-signature-variants

C++
1
star
75

mimc-analysis

mimc-analysis
C++
1
star
76

MPC-Accumulator

Java
1
star
77

DefectsInDepth

Python
1
star