Rowhammer attacks that corrupt level-1 page tables to gain kernel privilege
are the most detrimental to system security and hard to mitigate. However,
recently proposed software-only mitigations are not effective against such
kernel privilege escalation attacks. In this paper, we propose an effective and
practical software-only defense, called SoftTRR, to protect page tables from
all existing rowhammer attacks on x86. The key idea of SoftTRR is to refresh
the rows occupied by page tables when a suspicious rowhammer activity is
detected. SoftTRR is motivated by DRAM-chip-based target row refresh (ChipTRR)
but eliminates its main security limitation (i.e., ChipTRR tracks a limited
number of rows and thus can be bypassed by many-sided hammer). Specifically,
SoftTRR protects an unlimited number of page tables by tracking memory accesses
to the rows that are in close proximity to page-table rows and refreshing the
page-table rows once the tracked access count exceeds a pre-defined threshold.
We implement a prototype of SoftTRR as a loadable kernel module, and evaluate
its security effectiveness, performance overhead, and memory consumption. The
experimental results show that SoftTRR protects page tables from real-world
rowhammer attacks and incurs small performance overhead as well as memory cost.

Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Zhang_Z/0/1/0/all/0/1">Zhi Zhang</a>, <a href="http://arxiv.org/find/cs/1/au:+Cheng_Y/0/1/0/all/0/1">Yueqiang Cheng</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_M/0/1/0/all/0/1">Minghua Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+He_W/0/1/0/all/0/1">Wei He</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_W/0/1/0/all/0/1">Wenhao Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Surya_N/0/1/0/all/0/1">Nepal Surya</a>, <a href="http://arxiv.org/find/cs/1/au:+Gao_Y/0/1/0/all/0/1">Yansong Gao</a>, <a href="http://arxiv.org/find/cs/1/au:+Li_K/0/1/0/all/0/1">Kang Li</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_Z/0/1/0/all/0/1">Zhe Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Wu_C/0/1/0/all/0/1">Chenggang Wu</a>

By admin