• Stars
    star
    478
  • Rank 91,950 (Top 2 %)
  • Language
    C++
  • Created about 8 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Native binary for testing Android phones for the Rowhammer bug

Drammer

This software is the open-source component of our paper "Drammer: Deterministic Rowhammer Attacks on Mobile Devices", published in ACM Computer and Communications Security (CCS) 2016. It allows you to test whether an Android device is vulnerable to the Rowhammer bug. It does not allow you to root your device.

This code base contains our native, C/C++-based mobile Rowhammer test implementation.

Disclaimer

If, for some weird reason, you think running this code broke your device, you get to keep both pieces.

Android GUI app

If you don't want to build the test yourself, we also provide an Android app as a GUI for the native component that may or may not be currently available on the Google Play Store depending on the store's policy.

The app supports relaxed and aggressive hammering, which corresponds to the number of seconds to run 'defrag' (-d command line option described below): you can choose a timeout between 0 (no defrag) and 60 seconds, although higher timeouts likely cause the app to become unresponsive.

The app optionally collects basic statistics on the type of device and test results so that we can gain insights into the number and type of vulnerable devices in the wild, so please consider sharing them for science.

Native installation

To build the native binary, you need an Android NDK toolchain. I used android-ndk-r11c:

wget https://dl.google.com/android/repository/android-ndk-r11c-linux-x86_64.zip
unzip android-ndk-r11c-linux-x86_64.zip
cd android-ndk-r11c
./build/tools/make-standalone-toolchain.sh --ndk-dir=`pwd` \
  --arch=arm --platform=android-24 \
  --install-dir=./sysroot-arm/ \
  --verbose

You can then build the program setting STANDALONE_TOOLCHAIN variable to point to the toolchain:

STANDALONE_TOOLCHAIN=path/to/android-ndk-r11c/sysroot-arm/bin make

This gives you a stripped ARMv7 binary that you can run on both ARMv7 (32-bit) and ARMv8 (64-bit) devices. The Makefile provides an install feature that uses the Android Debug Bridge (adb) to push the binary to your device's /data/local/tmp/ directory. You can install adb by doing a sudo apt-get install android-tools-adb (on Ubuntu) or by installing the Android SDK via android.com. Then do a:

make install
make test

to install and start the Rowhammer test binary. Once installed, you may also invoke it from the shell directly:

adb shell
cd /data/local/tmp
./rh-test

Command line options

The native binary provides a number of command line options:

  • -a
    Do templating with all patterns. Without this option, only the patterns 010 and 101 are used, meaning that we hammer each row twice: once with it's aggressor rows containing all zeros while the victim row holds only ones, and once with the aggressor rows holding ones while the victim consists of zeros only. Enabling this option hammers each row with the following configurations: 000, 001, 010, 011, 100, 101, 110, 111, 00r, 0r0, 0rr, r00, r0r, rr0, rrr (where r is random and changed every 100 iterations).
  • -c
    Number of memory accesses per hammer round, defaults to 1000000. It is said that 2500000 yields the most flips.

  • -d
    Number of seconds to run 'defrag' (disabled by default). This tricks the system into freeing more ION memory that can be used for templating. Since Android tries to keep as many background processes in memory as possible, the amount of memory available for ION allocations may be very small (all of the memory is either in use, or cached in the operating system). By allocating many ION chunks, this option forces Android's low memory killer to kill background processes, giving us more (contiguous) memory to hammer in the templating phase.
    Use this option with caution: setting it too high likely hangs your device and trigger a reboot. My advice is to first try without -d (or with -d0), see how much memory you get, if not enough, hit CTRL^C, and restart with -d3. If this still does not give you enough memory, I usually repeat the sequence of breaking with CTRL^C and restarting with -d3 again in favor of using a higher timeout value. To answer the question of "how much is enough": on a Nexus 5, that comes with 2GB of memory, you should be able to get 400 to 600 MB of ION memory.

  • -f
    Write results not only to stdout but also to this file.

  • -h
    Dump the help screen.

  • -i
    Run an ION heap-type detector function.

  • -q
    Pin the program to this CPU. Some big.LITTLE architectures require you to pin the program to a big core, to make sure memory accesses are as fast as possible.

  • -r
    The rowsize in bytes. If this value is not provided, the program tries to find it using a timing side-channel (described in the paper) which may not always work. The most common value seems to be 65536 (64KB).

  • -s Hammer more conservatively. By default, we hammer each page, but this option moves less bytes (currently set to 64 bytes).

  • -t
    Stop hammering after this many seconds. The default behavior is to hammer all memory that we were able to allocate.

Description of source files

The native code base is written in C and abuses some C++ functionality. There are some comments in the source files that, combined with run-time output dumped on stdout, should give you an indication of what is happening. The main output of a run consists of numbers that indicate the average DRAM access time (in nanoseconds).

What follows is a short description of all source files.

  • Makefile
    Build system.

  • helper.h
    Inline helper functions defined in a header file.

  • ion.cc and ion.h
    Implements all ION related functionality: allocate, share, and free. By using a custom ION data data structure defined in ion.h, we also provide some functions on top of these core ION ionctls: bulk (bulk allocations), mmap, clean, and clean_all. It is required to call ION_init() before performing any ION related operations, as this function takes care of opening the /dev/ion file and reads /proc/cpuinfo to determine which ION heap to use. Note that the latter functionality is likely incomplete.

  • massage.cc and massage.h
    Implements exhaust (used for exhausting ION chunks: allocate until nothing is left) and defrag functions.

  • rh-test.cc
    Implements main() and is in charge of parsing the command line options and starting a template session.

  • rowsize.cc and rowsize.h
    Implements the auto detect function for finding the rowsize (described in more detail in the paper, Sections 5.1 and 8.1, and Figure 3)

  • templating.cc and templating.h
    Implements the actual Rowhammer test and builds template_t data structures (defined in templating.h, which might include some redundant fields). The is_exploitable() function checks whether a given template is in fact exploitable with Drammer. The main function is TMPL_run which loops over all hammerable ION chunks.

More Repositories

1

vuzzer

C
379
star
2

revanc

Reverse Engineering Page Table Caches in Your Processor
C
362
star
3

ridl

RIDL test suite and exploits
C
345
star
4

vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
C++
175
star
5

parmesan

ParmeSan: Sanitizer-guided Greybox Fuzzing
C++
167
star
6

hammertime

C
141
star
7

trrespass

TRRespass
C
119
star
8

bhi-spectre-bhb

This repository contains exploit and reverse-engineering source code regarding the Spectre-BHB/Branch History Injection vulnerability
C
101
star
9

guardion

Android GuardION patches to mitigate DMA-based Rowhammer attacks on ARM
C++
75
star
10

collabfuzz

CollabFuzz: A Framework for Collaborative Fuzzing
C++
66
star
11

dangsan

C++
62
star
12

floatzone

C
61
star
13

pandacap

A framework for streamlining the capture of PANDA execution traces.
Shell
55
star
14

slam

Spectre based on Linear Address Masking
C
53
star
15

deltapointers

Delta Pointers: Buffer Overflow Checks Without the Checks (EuroSys'18)
C++
51
star
16

kasper

Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
C
51
star
17

smash

C
46
star
18

memsentry

Open-source release for MemSentry (EuroSys'17)
C
44
star
19

typearmor

Implementation of our S&P16 paper: A Tough Call: Mitigating Advanced Code-Reuse Attacks
C
43
star
20

uncontained

Uncovering Container Confusion in the Linux Kernel
C++
41
star
21

inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
Python
39
star
22

blindside

C
32
star
23

xlate

Code to evaluate XLATE attacks as well existing cache attacks.
C
30
star
24

typesan

TypeSan checks casts in C++ code - code released for CCS 2016
C++
30
star
25

minesweeper

Tools used for MineSweeper project
Python
30
star
26

safeinit

SafeInit protects software from uninitialized read vulnerabilities - code released for NDSS 2017
C++
24
star
27

kmvx

kMVX: Detecting Kernel Information Leaks with Multi-variant Execution
21
star
28

patharmor

C
21
star
29

instrumentation-infra

An extendable and flexible infrastructure for program instrumentation.
Python
20
star
30

mvarmor

Multi-variant execution (MVX) using hardware-assisted process virtualization (with Dune)
C
17
star
31

shalloc

Shared memory allocator
C
16
star
32

tlbdr

C
15
star
33

dangzero

C
15
star
34

tlbkit

some tlb experimentation code: calculate L1, L2 miss penalties and show cross-HT interference.
Python
13
star
35

fpvi-scsb

Rage Against The Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
C
13
star
36

triereme

Rust
11
star
37

midfat

C++
10
star
38

ramses

Memory address translation library.
C
9
star
39

LookUB

C++
9
star
40

snappy

C++
9
star
41

TIFF

C++
9
star
42

drammer-app

GUI for testing Android phones for the Rowhammer bug
Java
8
star
43

typeisolation

Type-based Data Isolation prototype
C++
8
star
44

vusion

8
star
45

probeguard

ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations [ ASPLOS'19 ]
C++
7
star
46

dune

Dune fork
C
7
star
47

poking-holes

Project for the Poking Holes in Information Hiding paper
OCaml
7
star
48

alis

C
7
star
49

LLVMUtils

This repository contains a number of generic LLVM utility functions, setters, and/or getters for use in different LLVM passes.
C++
7
star
50

libshrink

A user-space runtime library to shrink the address space to a specified number of bits.
C++
6
star
51

zebram

C
5
star
52

pibe

PIBE project source code
5
star
53

infra-sanitizers

Configurations for benchmarking sanitizers
Python
5
star
54

qemu-hypercall

QEMU offering the hypercall interface used by HSFI and OSIRIS
C
5
star
55

firestarter

C
4
star
56

aos-labs-2021

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
57

osiris

C
4
star
58

delorean

C
4
star
59

hammertime-fliptables

Rowhammer flip tables collected using Hammertime.
ReScript
4
star
60

instrumentation-skeleton

Skeleton repository for instrumentation-infra users.
Python
4
star
61

Copy-on-Flip

C
4
star
62

aos-labs-2020

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
63

absynthe

ABSynthe related code
Python
3
star
64

minix-llvm

MINIX with the changes from the llvm_squashed branch needed for OSIRIS and HSFI
C
3
star
65

libumem-mvx

libumem fork for MvArmor
C
3
star
66

SCC

The |S|uborbital |C||C|annon compiler fuzzing framework
C++
3
star
67

libdft64-ng

Fork of https://github.com/AngoraFuzzer/libdft64 with support for shadow memory-based tagmap, small set tags, pointer/offset labels, and taint all memory semantics.
C++
3
star
68

dsn-2016-hsfi

C
2
star
69

type-after-type

C++
2
star
70

kamino

OCaml
2
star
71

SpeculationAtFault-AE

Artifact of "Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions"
C
2
star
72

kdfsan-llvm-project

C++
2
star
73

kdfsan-syzkaller

Go
1
star
74

kdfsan-linux

C
1
star
75

coco-docs

Vrije Universiteit Amsterdam - Compiler Construction (aux docs)
HTML
1
star
76

pirop

PIROP Asterisk exploits
Python
1
star
77

vu-forms-and-templates

VU forms and templates
TeX
1
star
78

uncontained-llvm-project

1
star
79

lldb-dfsan

Debugging DFSan labels with LLDB
Python
1
star