Creative DRAM abuse with Rowhammer

Project Zero, Google’s security analyst unit, has proved that rowhammer can be used as an exploit to gain superuser privileges on some computers. Row Hammer, or rowhammer is a method of flipping bits in DRAM by hammering rows with fast read accesses. [Mark Seaborn] and the rest of the Project Zero team learned of rowhammer by reading [Yoongu Kim’s] 2014 paper “Flipping Bits in Memory Without Accessing Them:
An Experimental Study of DRAM Disturbance Errors” (PDF link). According to [Kim], the memory industry has known about the issue since at least 2012, when Intel began filing patents for mitigation techniques.

Row hammer” by DsimicOwn work. Licensed under CC BY-SA 4.0 via Wikimedia Commons.

The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.

Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.

Cache is not the answer

If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.

Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.

Native Client sandbox escape exploit

Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.”  It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system.  Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:

20EA0: 48 b8 0f 05 EB 0C F4 F4 F4 F4 movabs $0xF4F4F4F40CEB050F,%rax 

Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05).  The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.

Linux kernel privilege escalation exploit

The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.


Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!

If you want to play along at home, the Project Zero team have a rowhammer test up on GitHub.

Raspberry Pi Doorbell is Fully Featured

When you think of a doorbell, you typically don’t think of anything very complicated. It’s a button that rings a bell inside your home. That’s about it. [Ahmad] decided he wanted to turn his doorbell up to eleven (Google Doc) with this build. Using a Raspberry Pi, he was able to cram in loads of features.

When the doorbell button is pressed, many different events can be triggered. In the demo video, [Ahmad] shows how his phone receives a text message, and email, and a tweet. The system can even be configured to place a voice call via Google Hangouts using a USB microphone. [Ahmad] demonstrates this and shows how the voice call is placed almost instantly when the button is pressed. This may be a bit overkill, but it does demonstrate many different options depending on your own needs.

For the hardware side of things, [Ahmad] purchased a wireless doorbell. He opened up the ringer unit and hooked up the speaker wires to a couple of pins on the Raspberry Pi through a resistor. The doorbell unit itself is powered off of the 3.3V supply from the Pi. The Pi also has a small LCD screen which shows helpful information such as if the Internet connection is working. The screen will also display the last time and date the doorbell was pressed, in case you weren’t home to answer the door.

On top of all of that, the system also includes a Raspberry Pi camera module. This allows [Ahmad] to take a photo of the person ringing the doorbell as a security measure. He can even view a live video feed from the front door by streaming directly to YouTube live. [Ahmad] has provided a link to his Pi image in the Google Doc so others can use it and modify it as they see fit. Continue reading “Raspberry Pi Doorbell is Fully Featured”

Google Releases Project Ara MDK

Ara Modules


It’s been a little while since we’ve heard about modular smartphones, but Google has just released the Module Developers Kit (MDK) for Project Ara. The development kit gives an overview of the inner workings of the project, and provides templates for building your own modules.

Once you’ve agreed to the license agreement and downloaded the MDK, you’ll find a large specification document. It explains how a phone will comprise of many modules loaded into an endoskeleton, giving mechanical support and electrical connections. An interface block provides each module with power and data over LVDS. Modules are held in place by an electro-permanent magnet which can be toggled by software.

When you’re finished with the specification document, you can dive into the reference designs. These include templates and actual modules for WiFi, thermal imaging, a battery pack, and more. Mechanical CAD is provided as STEP files and drawings, and electrical design files are provided as Altium projects and PDF schematics.

We discussed both Project Ara and Phonebloks on Hackaday in the past, but now we’re starting to see real details. Google’s Project Ara Developer Conference takes place on April 15th and 16th, and you can register to take part remotely for free. Is this the start of an open, modular phone? Let us know what you think.

[Thanks to Adam for the tip]

Google Security Certificates Forged

Chain of Trust

Recently, Google discovered that a certificate authority (CA) issued forged certificates for Google domains. This compromises the trust provided by Transport Layer Security (TLS) and Secure HTTP (HTTPS), allowing the holder of the forged certificates to perform a man-in-the-middle attack.

To validate that the website you’re visiting is actually who they claim to be, your browser ensures that the certificate presented by the server you’re accessing was signed by a trusted CA. When someone requests a certificate from a CA, they should verify the identity of the person making the request. Your browser, and operating system, have a set of ultimately trusted CAs (called root CAs). If the certificate was issued by one of them, or a intermediate CA that they trust, you will trust the connection. This whole structure of trust is called a Chain of Trust.

With a forged certificate, you can convince a client that your server is actually You can use this to sit between a client’s connection and the actual Google server, eavesdropping their session.

In this case, an intermediate CA did just that. This is scary, because it undermines the security that we all rely on daily for all secure transactions on the internet. Certificate pinning is one tool that can be used to resist this type of attack. It works by associating a host with a specific certificate. If it changes, the connection will not be trusted.

The centralized nature of TLS doesn’t work if you can’t trust the authorities. Unfortunately, we can’t.

Controlling Chromecast: AirCast APK released

[Koush] is at it again, this time releasing AirCast, an Android app that’ll push videos to the Chromecast from Dropbox, Google Drive, and your phone’s Gallery. Astute Hackaday readers will recall that AirCast has been around for a few weeks now, but limited to only his whitelisted Chromecast. As [Koush] explains it, he had to reverse engineer the protocols and now he simply avoids the Chromecast SDK entirely. If you’re lucky enough to have a Chromecast, you’ll want to hurry and grab the APK (direct download link) and have some fun with it before it self-destructs. [Koush] isn’t ready to release it for more than a 48 hour period, but we encourage you to take advantage of AirCast and contribute to his call for feedback, bugs, and crash reports. You have a little under a day left.

See “AllCast” work its magic in the video below. No, that’s not a typo. Apparently [Koush] has been struggling with available names for the app, and you’ll hear him call it “AllCast” in the Youtube video. That name was taken for some other product, though, and “AirCast” has now replaced it. If you suddenly regret not immediately ordering a Chromecast and are sitting this one out, go read [Mike’s] rant and get psyched up for when they’re back in stock.

Continue reading “Controlling Chromecast: AirCast APK released”

Rant: Why I love what the Chromecast stands for

I’ve had my hands on this Chromecast for almost a week now and I love it. Years ago I hacked my first Xbox after seeing [Kevin Rose] do it on The Screensavers (I did the hardware mod but that’s inconsequential). Why did I do this? So that I could run Xbox Media Center, the predecessor of XBMC. Since then I’ve dreamed of a device which can be hung on the back of the TV with Velcro and run XBMC. We basically got there with the Raspberry Pi, but the Chromecast is the form-factor that I had always envisioned. This lets me watch Netflix, while the RPi runs XBMC. The two are match made in heaven for under a hundred bucks.

That’s why I love the Chromecast device itself, but the bigger picture is that I love what it stands for. Keep reading to see what i mean.

Continue reading “Rant: Why I love what the Chromecast stands for”

Google Science Fair finalist explains squid-inspired underwater propulsion


Meet [Alex Spiride]. He’s one of the fifteen finalists of the 2013 Google Science Fair. A native of Plano, Texas, [Alex] entered his squid-inspired underwater propulsion system in the 13-14 year old category.

The red cylinder shown in the image inlay is his test rig. It is covered well on his project site linked above. You just need to click around the different pages using the navigation tiles in the upper right to get the whole picture. The propulsion module uses water sprayed out the nozzle to push the enclosure forward. The hull is made of PVC, with a bladder inside which is connected to the nozzle. The bladder is full of water, but the cavity between it and the hull is full of air. Notice the plastic hose which is used to inject pressurized air, squeezing the bladder to propel the water out the nozzle. Pretty neat huh?

We think [Alex’s] work stands on its own. But we can’t help thinking what the next iteration could look like. We wonder what would happen if you wrapped that bladder in muscle wire? Would it be strong enough to squeeze the bladder?

You can see all fifteen finalists at the GSF announcement page. Just don’t be surprised if you see some of those other projects on our front page in the coming days.

Continue reading “Google Science Fair finalist explains squid-inspired underwater propulsion”