Off by a Bit: Exploring Bit-Flip Vulnerabilities Through Program Emulation and Symbolic Execution
Authors
Olesen, Anders Trier ; Joensen, Ólavur Debes ; Bossen, Jannek Alexander Westerhof
Term
4. term
Education
Publication year
2017
Submitted on
2017-06-09
Pages
63
Abstract
As DRAM modules become increasingly smaller, there are physical limits at which down-scaling comes at the sacrifice of reliability. A wide range of modern DRAM modules have been verified to be susceptible to the Rowhammer problem, where rapid successive reads of memory trigger bit-flips in adjacent data. We research how bit-flips in the execution platform can be exploited to break the core security mechanisms of current software. Specifically we successfully exploit OpenSSH, su, and vsftpd using just a single bit-flip. To demonstrate and verify our exploits, we develop FLIP, a bit-flip emulator based on QEMU. FLIP allows for reliable, repeatable bit-flips, allowing a user to configure the timing, location and mask of bit-flip attacks. FLIP supports introduction of bit-flips on both CPU flags and registers, as well as main memory. To supplement FLIP, we present FLOP---an analysis tool based on the KLEE symbolic execution engine. FLOP uses symbolic execution to determine when and where bit-flips may be introduced to reach user specified program-points, otherwise not reachable. We show how FLOP output can be used to configure FLIP to explore the effectiveness of suggested bit-flips.
Keywords
bit-flips ; bitflips ; llvm ; qemu ; symbolic execution ; static analysis ; vulnerabilities ; rowhammer ; Off by a bit ; flip ; flop ; klee
Documents