Chaos in Memory: A Comprehensive Analysis of Register and Stack Variable Corruption

Adiletta, Andrew

Etd

Chaos in Memory: A Comprehensive Analysis of Register and Stack Variable Corruption

Public Deposited

The past decade has been marked by a multitude of uncovered vulnerabilities within microarchitectures, leading to new attack vectors and spurring an extensive investigation into potential countermeasures. Particularly, the architectural and physical imperfections within DRAM memories have initiated Rowhammer attacks, which provide a pathway to manipulate a victim's memory space via bit flips. While a considerable body of research has proposed measures to mitigate or nullify the effects of Rowhammer, its full exploitability scope remains underexplored. This thesis pushes the frontier by exploring an innovative exploitation of Rowhammer attacks. The approach involves inducing faults in a victim process's stack variables and register values by forcing a task switch. This switch results in the context being stored in the process stack, which, when stored in memory, becomes vulnerable to a Rowhammer attack. Accomplishing such an exploit involves navigating several complex challenges, such as stack pages co-location, ASLR offset randomization, and synchronization. This thesis covers extensive experimentation which resulted in several intriguing findings. Notably, an observed non-random behavior in ASLR offset randomization could potentially facilitate the acceleration of stack co-location. To illustrate the practical ramifications of these findings, this thesis includes examples of their application, such as bypassing SUDO, SSH authentications, MySQL, and other cryptographic libraries. Thus, this work uncovers a new, potent attack vector, underscoring the necessity for ongoing research into potential vulnerabilities and their countermeasures.

Creator