25th USENIX Security Symp., Austin, TX, USA, 2016, pp. Q., and Teodorescu R., One bit flips, one cloud flops: Cross-VM row hammer attacks and privilege escalation, in Proc. and Dullien T., Exploiting the DRAM rowhammer bug to gain kernel privileges. N., Whispers in the hyper-space: High-bandwidth and reliable covert channel attacks inside the cloud, IEEE/ACM Trans. Kocher P., Horn J., Fogh A., Genkin D., Gruss D., Haas W., Hamburg M., Lipp M., Mangard S., Prescher T., et al., Spectre attacks: Exploiting speculative execution. USENIX Security Symp., Baltimore, MD, USA, 2018, pp. Lipp M., Schwarz M., Gruss D., Prescher T., Haas W., Mangard S., Kocher P., Genkin D., Yarom Y., and Hamburg M., Meltdown: Reading kernel memory from user space, in Proc. Computer Architecture, Minneapolis, MN, USA, 2014, pp. H., Lee D., Wilkerson C., Lai K., and Mutlu O., Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors, in Proc. Kim Y., Daly R., Kim J., Fallin C., Lee J. Memway: In-Memory Waylaying Acceleration for Practical Rowhammer Attacks Against Binaries. Lai Xu, Rongwei Yu, Lina Wang, Weijie Liu. Key words: Rowhammer bug Waylaying algorithm in-memory swapping page cache eviction Equipped with our Memway+fadvise relocation scheme, we demonstrate practical Rowhammer attacks that take only 15-200 minutes to covertly relocate a victim binary, and less than 3 seconds to flip the target instruction bit. Furthermore, by combining Memway with the unprivileged posix_fadvise API, the binary relocation step is made 100 times faster. Running time and disk I/O overhead are reduced by 90% by utilizing Linux tmpfs and in-memory swapping to manage eviction files. This paper proposes the more advanced Memway algorithm, which improves on Waylaying in terms of both I/O overhead and speed.
However, the proof-of-concept Waylaying algorithm can be easily detected during page cache eviction because of its high disk I/O overhead and long running time. The Waylaying method stealthily relocates binaries onto exploitable physical addresses without exhausting system memory. In order to set up Rowhammer against binaries in the Linux page cache, the Waylaying algorithm has previously been proposed. It works by actively flipping bits in Dynamic Random Access Memory (DRAM) cells with unprivileged instructions. The Rowhammer bug is a novel micro-architectural security threat, enabling powerful privilege-escalation attacks on various mainstream platforms.