Creative DRAM Abuse With Rowhammer

Project Zero, Google’s security analyst unit, has proved that rowhammer can be used as an exploit to gain superuser privileges on some computers. Row Hammer, or rowhammer is a method of flipping bits in DRAM by hammering rows with fast read accesses. [Mark Seaborn] and the rest of the Project Zero team learned of rowhammer by reading [Yoongu Kim’s] 2014 paper “Flipping Bits in Memory Without Accessing Them:
An Experimental Study of DRAM Disturbance Errors” (PDF link). According to [Kim], the memory industry has known about the issue since at least 2012, when Intel began filing patents for mitigation techniques.

Row hammer” by DsimicOwn work. Licensed under CC BY-SA 4.0 via Wikimedia Commons.

The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.

Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.

Cache is not the answer

If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.

Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.

Native Client sandbox escape exploit

Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.”  It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system.  Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:

20EA0: 48 b8 0f 05 EB 0C F4 F4 F4 F4 movabs $0xF4F4F4F40CEB050F,%rax 

Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05).  The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.

Linux kernel privilege escalation exploit

The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.

The TL;DR

Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!

If you want to play along at home, the Project Zero team have a rowhammer test up on GitHub.

Arduino V Arduino: Part II

Since our last article covering the Arduino v. Arduino case, we’ve received a couple of tips, done some more digging, and learned a lot more about what’s going on. We thought it was time to share the story with you as it develops.

The Players

In short, there are two companies calling themselves “Arduino” at the moment. One, Arduino LLC was founded by [Massimo Banzi], [David Cuartielles], [David Mellis], [Tom Igoe] and [Gianluca Martino] in 2009, runs the website arduino.cc, and has been directing and releasing the code that makes it all work. Most of these folks had been working together on what would become the Arduino project since as early as 2005.

The other “Arduino” used to be called Smart Projects and was the manufacturing arm of the project founded and run by [Gianluca Martino]. Smart Projects changed their name to Arduino SRL in November 2014. (A “Società a responsabilità limitata” is one form of Italian limited-liability company.) They have been a major producer of Arduino boards from the very beginning and recently registered the domain arduino.org.

Around the time of the name change [Martino] sold his shares to a Swiss firm Gheo SA and [Federico Musto] was appointed CEO. Gheo SA is owned and directed by [Musto], who also runs a design consultancy based in the US and Taiwan called dog hunter, LLC.

dog hunter and [Musto] helped develop the Arduino Yun, a mashup of an Arduino with an OpenWRT-compatible WiFi router. dog hunter also runs the Linino.org website to support the Linux distribution that’s running on the router part of the Yun.

In short, on one side is Arduino LLC, run by the original Arduino Five and hosting arduino.cc. On the other is now called Arduino SRL, run by a former co-developer [Federico Musto] who bought out the largest producer of Arduino boards and opened up arduino.org.

Continue reading “Arduino V Arduino: Part II”

2015 Hackaday Prize: Build Something That Matters

Last year we challenged you to build the next generation of connected devices. Six months later, the best teams and projects from around the world battled for the greatest prize of all: the respect of their peers and a trip to space. This year, we’re issuing a call to hackers, engineers, makers and startups from all over the world, to focus their creative efforts on nothing less than solving serious issues facing humanity.

Fix the World

thp2015-build-something-that-matters-a6We’ll all be facing a lot of problems in the next few decades, whether they’re from rising costs and consumption of oil, droughts, access to food, demographic shifts in populations, or increasing health care costs. These problems need to be dealt with, and there’s no better time than right now to start working on solutions.

What do we want from you? We want you to identify the greatest problems faced by humanity in the next few years and come up with a solution. This can be anything from better, lower-cost solar power components, inexpensive ultrasound machines, better ways to store drugs, more advanced ways of measuring farm production, or cheaper, more sustainable smartphones to bridge the digital divide. The world is full of problems, but if there’s one thing hackers have taught us, it’s that there are more than enough people willing to find solutions.

Prizes

If worldwide notoriety isn’t enough personal incentive, Hackaday is back with a huge slate of prizes for those devices that best exemplify solutions to problems that matter.

The Grand Prize is a trip to space on a carrier of your choice or $196,883 (a Monster Group number). Other top prizes include a 90-Watt laser cutter, a builder kit (pcb mill, 3d printer, cnc router, bench lathe), a tour of CERN in Geneva, and a tour of Shenzhen in China.

New this year is the Best Product award. Go the extra mile and show a production-ready device (in addition to supplying three beta test units for judging) and you can score $100,000! The entry is of course still eligible to compete for the Grand prize and other top prizes.

We’re able to pull this off once again thanks to the vision of Supplyframe who managed to unite giants of the electronics industry as sponsors of the 2015 Hackaday Prize. Atmel, Freescale, Microchip, Mouser, and Texas Instruments have all signed on in supporting this mission.

Individuals, Colleges, Hackerspaces, and Startups

If you just don’t want to go-it alone, get your team excited. After all, it was a team that won the Grand Prize last year. SatNOGS transformed the cash-option of $196,418 into a jumpstart for a foundation to carry the project forward. Get the boss on board by touting the notoriety your company will get from showing off their engineering prowess. Or help build your resume by herding your college buddies into some brainstorming session. And the Best Product prize is perfect for Startups who want to show off their builds.

Judges

Joining the Judging Panels this year are Akiba (Freaklabs), Pete Dokter (Sparkfun), Heather Knight (Marilyn MonRobot), Ben Krasnow (GoogleX & host of Applied Science on YouTube), Lenore Edman & Windell Oskay (Evil Mad Scientist Labs), and Micah Scott (Scanlime).

Our returning judges are Limor “Ladyada” Fried (Adafruit), Jack Ganssle (Ganssle Group, & The Embedded Muse), Dave Jones (EEVBlog), Ian Lesnet (Dangerous Prototypes), and Elecia White (Logical Elegance).

You can read all of the judge bios and find social media and webpage links for them on our Judges page. We are indebted to these industry experts for sharing their time and talent to make the Hackaday Prize possible.

Tell Everyone

We don’t ask often: please tell everyone you know about the 2015 Hackaday Prize! Social media share icons are just above the image at the top of this post. Submit this page or the prize page (http://hackaday.io/prize) to all your favorite sites. No hacker should get through this day without hearing about #HackadayPrize and we can’t reach total media saturation without your help. Thanks in advance!

GET STARTED NOW

Don’t wait, put up an idea right now and tag it with “2015HackadayPrize”. We’re sending out swag for early ideas that help get the ball rolling. And as you flesh out your plans you could score prizes to help build the prototype like PCBs, 3D prints, laser cutting, etc. Make it to the finals and you’ll be looking at the five top prizes we mentioned earlier. A simple idea can change the world.

placeholder-prize-graphic

Deconstructing PCBs

The surest way to reverse engineer a circuit is to look at all the components, all the traces between these components, and clone the entire thing. Take a look at a PCB some time, and you’ll quickly see a problem with this plan: there’s soldermask hiding all the traces, vias are underneath components, and replicating a board from a single example isn’t exactly easy. That’s alright, because [Joe Grand] is here to tell you how to deconstruct PCBs one layer at a time.

Most of this work was originally presented at DEFCON last August, but yesterday [Joe] put up a series of YouTube videos demonstrating different techniques for removing soldermask, delayering multi-layer boards, and using non-destructive imaging to examine internal layers.

If you’re dealing with a two-layer board, the most you’ll have to do is remove the soldermask. This can be done with techniques ranging from a fiberglass scratch brush, to laser ablation, to a dremel flapwheel. By far the most impressive and effective ways to take the solder mask off of PCBs is the way the pros do it: chemically. A bath in Magnastrip 500 or Ristoff C-8 results in perfectly stripped boards and a room full of noxious chemicals. It makes sense; this is what PCB houses use when they need to remove solder mask during the fabrication process.

Removing a solder mask will get you the layout of a two-layer board, but if you’re looking at deconstructing multi-layer boards, you’ll have to delaminate the entire board stack to get a look at the interior copper layers. By far the most impressive way of doing this is with a machine that can only be described as gently violent, but passive, imaging techniques such as X-rays, CT scanners and other sufficiently advanced technology will also do the trick. Acoustic microscopy, or  Acoustic Micro Imaging, was, however, unsuccessful. It does look cool, though.

Thanks [Morris] for the tip.

Continue reading “Deconstructing PCBs”

Origami Busts A Move With Dancing Paper

Origami cranes are cool, but do you know what’s cooler? Origami cranes dancing to the beat. That’s the challenge [Basami Sentaku] took on when he created Dancing Paper (YouTube link). You might remember [Basami] from his 8 bit harmonica hack. In Dancing Paper, paper cranes seem to dance all on their own – even performing some crazy spinning moves. Of course, the “magic” is due to some carefully written code, and magnets, lots of magnets.

Using magnets to move objects from below isn’t a new concept. Many of us have seen the “ice skating pond” Christmas decoration which uses the same effect. Unlike the skating pond,Dancing Paper has moving parts (other than the cranes themselves). Under the plastic surface are a series of individually controlled electromagnets. Each of the supporting dancers has a line of four magnets, while the featured dancer in the center has a 5×5 matrix. The 41 electromagnets were wound around bolts with the help of a Tamiya motor and gearbox.

The actual dance moves are controlled by C code which appears to be running on an Atmel microcontroller. Of course a microcontroller wouldn’t be able to drive those big coils, so some beefy TO-220 case transistors were employed to switch the loads. The cranes themselves needed a bit of modification as well. Thin pieces of wire travel from the neodymium magnets on their feet up to the body of the crane. The wire provides just enough support to keep the paper from collapsing, while still being flexible enough to boogie down.

Click past the break to see Dancing Paper in action!

Continue reading “Origami Busts A Move With Dancing Paper”

Retro Edition: VCF East, April 17 – 19

Around this time last year we were planning our trip to the Vintage Computer Festival East in Wall, NJ. This year we’re doing it all over again, and according to the announcements coming out of the planning committee, it’s going to be a very, very cool event.

This year marks fifty years since the release of the PDP-8, regarded as the first commercially successful computer ever. The historic Straight-8 from the infamous RESISTORS has been restored over the past few months, and it’s going to be turned on again for the festival. There will also be a half a dozen other PDP-8s at the event, but these are 8/M, 8/E, and 8/L models and not constructed completely out of discrete diode transistor logic.

Keynote speakers include [Wesley Clark], designer of the LINC computer and [Bob Frankston], co-creator of Visicalc. There will, of course, be a ton of educational and historical sessions on Friday. Our own [Bil Herd] will be there talking about vintage microcomputer architectures along with a dozen other fascinating people talking about really interesting stuff

As far as exhibits go, there’s literally everything you could imagine when it comes to retro computers. There will of course be a fully restored and functional PDP Straight 8, along with PDP-11s, Apple Newtons, Ataris, Network gaming on C64s. Hollerith cards, VisiCalc, mainframes, teletypes, video toasters, an RTTY amateur radio station (KC1CKV), a flea market/consignment thing, and all sorts of retro goodies. Oh, a Fairlight CMI will also be there. I don’t know how they got that one.

More info for VCF East at the official site, Facebook, and Twitter. If you’re in the area and want to exhibit something really, really cool, there’s still room for more. If you want a better feel for what will be going down at VCF East, check out our megapost wrapup from last year.

Of course if New Jersey isn’t your thing and you live a few blocks down from Peachtree Avenue, Lane, or Street, VCF Southeast 3.0 will be held in Roswell, Georgia the first weekend in May.

Cardboard CNC Machine Boxes Up Both A Tool And A Framework

Want to build up a desktop CNC machine without breaking your pocketbook? [James Coleman], [Nadya Peek], and [Ilan Moyer] of MIT Media Labs have cooked up a modular cardboard CNC that gives you the backbone from which you can design your own machine.

The CNC build comprises of design instructions for a single axis linear stage and single axis rotary stage with several ideas on how to combine multiple of these axes together to construct a particular machine. Whether your milling wood, laser-engraving your desk, or pipetting your bacteria samples, the designs [Dropbox] and physical components can be adopted for your end-application.

Perhaps the most interesting aspect of this project is that, at the high level, it is not just a cnc, but a framework known as Gestalt. This architecture enables users to develop their own machine configuration consisting of multiple software nodes linked together with high-level Python Code. Most of the high level computation is organized by a Python library that calls compiled C-code. This high-level framework processes instructions through the desired machine’s kinematics to output commands to the motor controllers. Finally, the top-level interface does away with the archaic GCode with two alternatives: a Python interface consisting of function calls to procedures and a remote interface to make procedure calls through http requests. While the downside of a motion control language is that commands have no standardization; they are, however, far more human-readable, a benefit that plays into the Gestalt Framework’s aim “to be accessible to individuals for personal use.”

gestaltFramework

In the paper [PDF], [Ilan] expresses the notion of a tool as an impedance-matching device, an instrument that extends the reach of our creativity to bend and morph a broader range of shapes into forms from our imagination. Where our hands fail in their imprecision and weakness, tools bridge this gap. Gestalt and the Cardboard CNC are first steps to creating a framework so that anyone can design and realize their own impedance-matching device, whether they’re weaving steel cables or carving wood.

The folks at MIT Media Labs a familiar heavy-hitters in this field of low-cost machinery, especially the kind that fit in a suitcase. We’re thrilled to see a build that reaches out directly to the community.

via [CreativeApplications.net]