|
This is a proof-of-concept exploit that is able to escape from Native
|
Client's x86-64 sandbox on machines that are susceptible to the DRAM
|
"rowhammer" problem. It works by inducing a bit flip in read-only
|
code so that the code is no longer safe, producing instruction
|
sequences that wouldn't pass NaCl's x86-64 validator.
|
|
Note that this uses the CLFLUSH instruction, so it doesn't work in
|
newer versions of NaCl where this instruction is disallowed by the
|
validator.
|
|
There are two ways to test the exploit program without getting a real
|
rowhammer-induced bit flip:
|
|
* Unit testing: rowhammer_escape_test.c can be compiled and run as a
|
Linux executable (instead of as a NaCl executable). In this case,
|
it tests each possible bit flip in its code template, checking that
|
each is handled correctly.
|
|
* Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch"
|
modifies NaCl's dyncode_create() syscall to inject a bit flip for
|
testing purposes. This syscall is NaCl's interface for loading
|
code dynamically.
|
|
Mark Seaborn
|
mseaborn@chromium.org
|
March 2015
|