double side rowhammer in virtualized environments
630 views
Skip to first unread message
HW42
Mar 10, 2015, 5:05:49 AM3/10/15
to cpr...@gmail.com, rowhamme...@googlegroups.com
cpr...@gmail.com:
> Inside a Qubes/Xen PVM:
>
> Iteration 188 (after 240.27s)
>> 26.928 nanosec per iteration: 1.16328 sec for 43200000 iterations
>> check
>> error at 0x7f2929794bd8: got 0xffffffefffffffff
>> (check took 0.096599s)
>> ** exited with status 256 (0x100)
>>
>
>
> This can work inside VMs. An important question is whether it can be used
> as a VM Breakout exploit.
I think that this is exploitable by from a VM is clear (Since this is a
hardware bug triggered by unprivileged instructions. I assume that the
memory management from Xen is similar enough to Linux that you cold
rather easily adopt the exploit from Google to escape to dom0).
My question is if the doubles side hammer test program (not the normal
test program which generated the output above) works in virtualized
environments since it read /proc/self/pagemap. And I don't know if this
pagemap contains the required data when run in a VM.
>
> Iteration 188 (after 240.27s)
>> 26.928 nanosec per iteration: 1.16328 sec for 43200000 iterations
>> check
>> error at 0x7f2929794bd8: got 0xffffffefffffffff
>> (check took 0.096599s)
>> ** exited with status 256 (0x100)
>>
>
>
> This can work inside VMs. An important question is whether it can be used
> as a VM Breakout exploit.
I think that this is exploitable by from a VM is clear (Since this is a
hardware bug triggered by unprivileged instructions. I assume that the
memory management from Xen is similar enough to Linux that you cold
rather easily adopt the exploit from Google to escape to dom0).
My question is if the doubles side hammer test program (not the normal
test program which generated the output above) works in virtualized
environments since it read /proc/self/pagemap. And I don't know if this
pagemap contains the required data when run in a VM.
cpr...@gmail.com
Mar 10, 2015, 11:08:56 AM3/10/15
to rowhamme...@googlegroups.com, hw...@ipsumj.de
In a Qubes/Xen PVM...
Iteration 188 (after 240.27s)
26.928 nanosec per iteration: 1.16328 sec for 43200000 iterations
check
error at 0x7f2929794bd8: got 0xffffffefffffffff
(check took 0.096599s)
** exited with status 256 (0x100)
This works inside VMs. An important question is whether rowhammer can be used as a VM Breakout exploit.
cpr...@gmail.com
Mar 10, 2015, 11:08:56 AM3/10/15
to rowhamme...@googlegroups.com, hw...@ipsumj.de
On Tuesday, March 10, 2015 at 3:33:52 AM UTC-4, HW42 wrote:
Inside a Qubes/Xen PVM:
Iteration 188 (after 240.27s)
26.928 nanosec per iteration: 1.16328 sec for 43200000 iterations
check
error at 0x7f2929794bd8: got 0xffffffefffffffff
(check took 0.096599s)
** exited with status 256 (0x100)
This can work inside VMs. An important question is whether it can be used as a VM Breakout exploit.
Reply all
Reply to author
Forward
0 new messages