Headline
CVE-2021-42114: GitHub - comsec-group/blacksmith: Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.
Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Novel non-uniform Rowhammer access patterns, consisting of aggressors with different frequencies, phases, and amplitudes allow triggering bit flips on affected memory modules using our Blacksmith fuzzer. The patterns generated by Blacksmith were able to trigger bitflips on all 40 PC-DDR4 DRAM devices in our test pool, which cover the three major DRAM manufacturers: Samsung, SK Hynix, and Micron. This means that, even when chips advertised as Rowhammer-free are used, attackers may still be able to exploit Rowhammer. For example, this enables privilege-escalation attacks against the kernel or binaries such as the sudo binary, and also triggering bit flips in RSA-2048 keys (e.g., SSH keys) to gain cross-tenant virtual-machine access. We can confirm that DRAM devices acquired in July 2020 with DRAM chips from all three major DRAM vendors (Samsung, SK Hynix, Micron) are affected by this vulnerability. For more details, please refer to our publication.
Blacksmith Rowhammer Fuzzer
This repository provides the code accompanying the paper Blacksmith: Scalable Rowhammering in the Frequency Domain that is to appear in the IEEE conference Security & Privacy (S&P) 2022.
This is the implementation of our Blacksmith Rowhammer fuzzer. This fuzzer crafts novel non-uniform Rowhammer access patterns based on the concepts of frequency, phase, and amplitude. Our evaluation on 40 DIMMs showed that it is able to bypass recent Target Row Refresh (TRR) in-DRAM mitigations effectively and as such can could trigger bit flips on all 40 tested DIMMs.
Getting Started
Following, we quickly describe how to build and run Blacksmith.
Prerequisites
Blacksmith has been tested on Ubuntu 18.04 LTS with Linux kernel 4.15.0. As the CMakeLists we ship with Blacksmith downloads all required dependencies at compile time, there is no need to install any package other than g++ (>= 8) and cmake (>= 3.14).
To facilitate the development, we also provide a Docker container (see Dockerfile) where all required tools and libraries are installed. This container can be configured, for example, as remote host in the CLion IDE, which automatically transfers the files via SSH to the Docker container (i.e., no manual mapping required).
Building Blacksmith
You can build Blacksmith with its supplied CMakeLists.txt
in a new build
directory:
mkdir build \ && cd build \ && cmake … \ && make -j$(nproc)
Now we can run Blacksmith. For example, we can run Blacksmith in fuzzing mode by passing a random DIMM ID (e.g., --dimm-id 1
; only used internally for logging into stdout.log
), we limit the fuzzing to 6 hours (--runtime-limit 21600
), pass the number of ranks of our current DIMM (--ranks 1
) to select the proper bank/rank functions, and tell Blacksmith to do a sweep with the best found pattern after fuzzing finished (--sweeping
):
sudo ./blacksmith --dimm-id 1 --runtime-limit 21600 --ranks 1 --sweeping
While Blacksmith is running, you can use tail -f stdout.log
to keep track of the current progress (e.g., patterns, found bit flips). You will see a line like
[!] Flip 0x2030486dcc, row 3090, page offset: 3532, from 8f to 8b, detected after 0 hours 6 minutes 6 seconds.
in case that a bit flip was found. After finishing the Blacksmith run, you can find a fuzz-summary.json
that contains the information found in the stdout.log in a machine-processable format. In case you passed the --sweeping
flag, you can additionally find a sweep-summary-*.json
file that contains the information of the sweeping pass.
Supported Parameters
Blacksmith supports the command-line arguments listed in the following. Except for the parameters --dimm-id
and --ranks
all other parameters are optional.
-h, --help
shows this help message
==== Mandatory Parameters ==================================
-d, --dimm-id
internal identifier of the currently inserted DIMM (default: 0)
-r, --ranks
number of ranks on the DIMM, used to determine bank/rank/row functions, assumes Intel Coffe Lake CPU (default: None)
==== Execution Modes ==============================================
-f, --fuzzing
perform a fuzzing run (default program mode)
-g, --generate-patterns
generates N patterns, but does not perform hammering; used by ARM port
-y, --replay-patterns <csv-list>
replays patterns given as comma-separated list of pattern IDs
==== Replaying-Specific Configuration =============================
-j, --load-json
loads the specified JSON file generated in a previous fuzzer run, required for --replay-patterns
==== Fuzzing-Specific Configuration =============================
-s, --sync
synchronize with REFRESH while hammering (default: 1)
-w, --sweeping
sweep the best pattern over a contig. memory area after fuzzing (default: 0)
-t, --runtime-limit
number of seconds to run the fuzzer before sweeping/terminating (default: 120)
-a, --acts-per-ref
number of activations in a tREF interval, i.e., 7.8us (default: None)
-p, --probes
number of different DRAM locations to try each pattern on (default: NUM_BANKS/4)
The default values of the parameters can be found in the struct ProgramArguments
.
Configuration parameters of Blacksmith that we did not need to modify frequently, and thus are not runtime parameters, can be found in the GlobalDefines.hpp
file.
Citing our Work
To cite Blacksmith in academic papers, please use the following BibTeX entry:
@inproceedings{jattke2021blacksmith,
title = {{{BLACKSMITH}}: Rowhammering in the {{Frequency Domain}}},
shorttitle = {Blacksmith},
booktitle = {{{IEEE S}}\&{{P}} '22},
author = {Jattke, Patrick and {van der Veen}, Victor and Frigo, Pietro and Gunter, Stijn and Razavi, Kaveh},
year = {2021},
month = nov,
note = {\url{https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf}}
}