Creative DRAM Abuse With Rowhammer

March 13, 2015 by 70 Comments

Project Zero, Google’s security analyst unit, has proved that rowhammer can be used as an exploit to gain superuser privileges on some computers. Row Hammer, or rowhammer is a method of flipping bits in DRAM by hammering rows with fast read accesses. [Mark Seaborn] and the rest of the Project Zero team learned of rowhammer by reading [Yoongu Kim’s] 2014 paper “Flipping Bits in Memory Without Accessing Them:
An Experimental Study of DRAM Disturbance Errors” (PDF link). According to [Kim], the memory industry has known about the issue since at least 2012, when Intel began filing patents for mitigation techniques.

Row hammer” by DsimicOwn work. Licensed under CC BY-SA 4.0 via Wikimedia Commons.

The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.

Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.

Cache is not the answer

If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.

Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.

Native Client sandbox escape exploit

Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.”  It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system.  Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:

20EA0: 48 b8 0f 05 EB 0C F4 F4 F4 F4 movabs $0xF4F4F4F40CEB050F,%rax 

Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05).  The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.

Linux kernel privilege escalation exploit

The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.

The TL;DR

Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!

If you want to play along at home, the Project Zero team have a rowhammer test up on GitHub.

Doppler Gesture Sensing In JavaScript

March 13, 2015 by 19 Comments

[Daniel] stumbled on an interesting paper (which we featured before) on Doppler gesture sensing using only a computer’s speaker and microphone. Unfortunately the paper didn’t include source code so [Daniel] created his own implementation of Doppler gesture sensing in JavaScript that works right in the browser.

[Daniel]’s JavaScript library generates a sine wave at 20 kHz that’s played through the computer’s speakers. The frequency is high enough that it’s pretty much inaudible. While the tone is being played through the speakers, the computer’s microphone is used to sample the audio and calculate the frequency spectrum of the signal. As you move your hand closer to the computer while the tone is playing, the frequency of the received signal shifts higher; as you move your hand away, it shifts lower. [Daniel]’s script looks for this frequency shift and uses it to trigger events.

doppler

[Daniel] has some awesome examples included on his website where you can test out the functionality for yourself. He has a hands-free scrolling example, spectrum plot, and even a virtual theremin. Since his code is bundled up into an easy-to-use library, it should be fairly easy to integrate into any webpage. The only real limitation to the library is that it only works in Chrome right now (Firefox doesn’t support disabling echo cancellation).

3d printed 2-part mold

3D Printed Molds And Silicone Caulking

March 13, 2015 by 36 Comments

Have you ever had a pair of ear buds fit perfectly out of the package? Probably not. Well, [Joe] decided to take matters into his own hands and cast his own silicone ear bud covers custom made for him.

The traditional route would have been to make an ear bud model, make a mold from it, cast a copy from it… etc, etc. But [Joe] wanted to try something else — he designed and 3D printed the two-part mold, and used plain old silicone caulking to fill it.

First he 3D modeled the ear bud covers in SolidWorks, then he had to learn how to design the mold for it, but luckily, there’s a handy tutorial. After printing the mold he opted to use 100% silicone caulking in order to make the part since he had some lying around the house. The problem is, this stuff can take days to cure — unless you mix in some cornstarch.

3d printed ear buds

The golden ratio [Joe] found was about 5:1 silicone to cornstarch, which resulted in a cure time of about 20 minutes.

After curing you just need to trim off the excess silicone. In the molding process this is known as “flash”.

Since this is caulking he’s using, you’re going to want to wash off the part a few times because this type of silicone produces acetic acid as it cures.

The ear buds fit great and inspired [Joe] to try molding even more things, like a custom sleeping mask using the 3D scan of your own face!

Psimax CS40 Control Panel for Kerbal Space Program

Rocket Controls Fit For A Kerbal

March 12, 2015 by 31 Comments

Kerbal Space Program is a space simulation game. You design spacecraft for a fictional race called Kerbals, then blast those brave Kerbals into space. Sometimes they don’t make it home.

If controlling spacecraft with your WASD keys isn’t immersive enough for you, [marzubus] has created a fully featured KSP control console. It sports a joystick, multiple displays, and an array of buttons and switches for all your flight control needs. The console was built using a modular approach, so different controls can be swapped in and out as needed.

Under the hood, three Arduinos provide the interface between the game and the controls. One Arduino Mega runs HoodLoader2 to provide joystick data over HID. A second Mega uses KSPSerialIO to communicate with the game over a standard COM port interface. Finally, a Due interfaces with the displays, which provide information on the current status of your spacecraft.

All of the parts are housed in an off the shelf enclosure, which has a certain Apollo Mission Control feel to it. All [marzubus] needs now is a white vest with a Kerbal badge on it.

Broken Bread Maker Rises Again, Drives Tool-Sharpening Turntable

March 12, 2015 by 6 Comments

Poor [makendo] had seven broken bread makers lying around, all with failed paddle drivers. Since they also all have big motors and other useful parts in them, he decided to turn one of them into a powered tool-sharpening turntable.

First, [makendo]  salvaged the motor, the gear, and the thick circular glass window from one of the bread makers. He cut a platter from plywood the size of the glass window, chamfering the edge to fit the gear. Next, he built a housing from scrap plywood, separating the motor from the platter with a crosspiece to keep the motor free from dust. A large magnet on a hinge collects metal powder from the system quite effectively. The sharpener spins at about 200RPM: fast enough to do the job and slow enough not to get hot.

According to [makendo], the sharpener restores bevels nicely but doesn’t make edges”scary sharp”. To that end, he used a toaster oven door as a base for a series of micro-abrasive grits of sandpaper as a finishing rig. In order to sharpen his chisels uniformly, he made a jig to hold them firmly in place against either the powered turntable or the fine sandpapers.

[Thanks for the tip, Scott]

 

HDMI Splitter Is Also A Decrypter

March 12, 2015 by 47 Comments

It warms our hearts when the community gets together. [esar] needed to get a decrypted HDMI stream for his home theater system. A tip-off in the comments and a ton of good old-fashioned hacking resulted in a HDMI splitter converted into a full-featured HDMI decrypter. Here’s the story.

His amazing custom Ambilight clone got profiled here, and someone asked him in the comments if it worked when High-bandwidth Digital Content Protection (HDCP) is on. [esar] lamented that it didn’t. Hackaday readers to the rescue. [Alan Hightower] and [RoyTheReaper] pointed [esar] to the fact that HDMI splitters need to decrypt and re-encrypt the signal to pass it on, and pointed him to a trick to knock out the on-board microcontroller. [esar] took off from there.

Unfortunately, taking the micro out of the picture messed with a lot of other HDMI functionality. So [esar] started digging in the datasheets for the HDMI splitter chip, looking for registers relevant to the re-encryption. If he could get in between the microcontroller and the splitter chip on the I2C bus and disable the re-encryption, he’d be set.

If you’re at all interested in I2C hacking or abusing HDMI splitters, you need to read his post because he details all of the tribulations and triumphs. He first tries just brute-forcing the I2C by overwriting a 1 bit with a 0. This (correctly) signals the micro that there’s been a conflict on the bus, so it re-sends the command again. Dead end.

He then found another signal that the receiver could use say that it wasn’t decrypting. He tried sending this continuously to the splitter so that it would stop encrypting. That worked, but only for one channel, some of the time. It turns out that his code was taking too long in his bit-banged I2C code. He fixes this up and all is well? Well, 90% of the way there.

To hammer down the last 10% of the functionality, [esar] buys a couple more splitters, experiments around with another splitter chipset that works with 3D, and solders some more wires to enable the Audio Return Channel. And after a ton of well-documented hard work, he wins in the end.

Hackaday Prize Worldwide: SXSW

March 12, 2015 by 3 Comments

Having announced the start of the 2015 Hackaday Prize a few days ago, it’s time to take the message to the people. We’ll be evangelizing the message of grass-roots hardware development all over the world this year. The next event starts tomorrow in Austin, Texas and is free for all to attend.

Friday Mid-Day Meetup

Join the Hackaday Crew at the Hackaday South by Southwest Meetup on Friday from 11am-12pm. We’ll be discussing the bright future of small shop and grass roots hardware development. This concept ties into the 2015 Hackaday Prize which calls on you do develop solutions to some of the problems found in your community. Want to organize your own #HackadayPrize event to help get the word out? Great! Email prize -at- hackaday.com and we’ll help with the planning.

Friday Night at Hardware House

Find us on Friday Night at Hardware House. They are presenting several talks; notably from [Huge Fiennes] (Co-founder of Electric Imp), [Sam de Brouwer] (Co-founder of Scanadu), [Nick Yulman] (from Kickstarter), and [Jason Johnson] (Co-Founder of August). In between there will be some lightning talks and [Sophi] will be giving one on the 2015 Hackaday Prize. and we’ll be sticking around for the socializing as well. It runs from 6-9pm… don’t forget to RSVP.

Stuffing 150 sq. ft. with Hardware

The finalists from last year’s Hackaday Prize were gracious enough to lend us their prototypes to exhibit at our SXSW Create Booth which is open Friday through Sunday. These are SatNOGS, ChipWhisperer, PortableSDR, Open Science Tricorder, and RamanPi. Thank you to them all, we’ll make sure to bring some of those along to the meetup. We’re also happy to have one of [Radu Motisan’s] uRADMonitor modules on hand, one of the Mooltipass beta units which were the topic of the Developed on Hackaday series, and one of [Macetech’s] new LED glasses (which we might just be giving away to someone who stops by).

Tacos or Drinks or Hangouts, oh my

The midway is open 11-6 everyday but you can bet after that (and perhaps before) we’ll be looking to do some socializing. Hit us up on Twitter if you have any suggestions or wonder what we’re up to. Assuming the Internet is working we’ll be checking and Tweeting regularly. On site we’ll be using the following accounts: @Hackaday, @Hackaday.io, @HackadayPrize.