As DRAM modules become increasingly smaller, there are physical limits at which down-scaling comes at the sacrifice of reliability.
A wide range of modern DRAM modules have been verified to be susceptible to the Rowhammer problem, where rapid successive reads of memory trigger bit-flips in adjacent data.
We research how bit-flips in the execution platform can be exploited to break the core security mechanisms of current software. Specifically we successfully exploit OpenSSH, su, and vsftpd using just a single bit-flip.
To demonstrate and verify our exploits, we develop FLIP, a bit-flip emulator based on QEMU. FLIP allows for reliable, repeatable bit-flips, allowing a user to configure the timing, location and mask of bit-flip attacks. FLIP supports introduction of bit-flips on both CPU flags and registers, as well as main memory.
To supplement FLIP, we present FLOP---an analysis tool based on the KLEE symbolic execution engine. FLOP uses symbolic execution to determine when and where bit-flips may be introduced to reach user specified program-points, otherwise not reachable.
We show how FLOP output can be used to configure FLIP to explore the effectiveness of suggested bit-flips.