vusec / hammertime Goto Github PK

License: GNU General Public License v2.0

Makefile 1.38% C 68.39% Python 30.23%

hammertime's Introduction

README

Hammertime: a software suite for testing, profiling and simulating the Rowhammer DRAM defect, built on top of the RAMSES address translation library.

What does this project contain?

Hammertime contains two major components:

profile: a tool to test and collect data about a running system's vulnerability to Rowhammer. For more information, check out its own README file under profile/README.
A Rowhammer exploit simulator, useful for rapid evaluation of exploit effectiveness
Various small tools and utilities:
- py/hammertime -- Python interface to working with profile output files
- py/hammerstats.py prints basic statistics about the output of a profile run. Demo usage of the Python interface.
- py/prettyprofile.py converts a profile output into something more human-friendly.
- py/common_flips.py processes multiple profile results selecting only bit flips common to all. Useful for finding bit flips that can be reliably triggered.

For an in-depth view of the overall architecture of Hammertime check out the paper "Defeating Software Mitigations against Rowhammer: A Surgical Precision Hammer" by Tatar et al. presented at RAID'18.

How do I get set up?

Dependencies

POSIX-compatible OS (Linux recommended)
Python >= 3.2 --- used by tools
RAMSES (included as git submodule; make sure to clone recursively or manually initi and update before building)

Building

Run make in the root directory to build all Hammertime components and tools.

make clean removes all previously built files.

Getting started

Detecting your system's memory configuration

A memory configuration (i.e. .msys) file includes information about the memory controller, physical address routing, DRAM geometry and optional on-chip remapping. Figuring these out by hand is tedious; here's where a tool comes in.

Run ramses/tools/msys_detect.py, ideally as a superuser. It will try to auto-detect most parameters and ask you for the others.

The output file it produces can now be used by other Hammertime components.

Testing for Rowhammer

The profile tool works best with elevated permissions. We recommend running it as root or running make cap as root in its directory to set the necessary capabilities on the binary.

Example run with only the essential arguments:

profile/profile 256m spam.msys

will run a basic double-sided rowhammer attack over 256MiB of RAM using spam.msys as memory configuration file.

The output may seem a bit cryptic. To remedy this, use the prettifying script:

profile/profile 256m spam.msys | py/prettyprofile.py -

as a shell pipeline or

profile/profile 256m spam.msys myprof.res
py/prettyprofile.py myprof.res

by using a temporary file.

Check out profile's own README file for (many) more command line options and the format of its raw output.

Simulating bit flips

The hammertime.sim Python package provides an API for evaluating the potential effectiveness of Rowhammer exploits, using memory profiles output by Hammertime profile. Several examples of such exploits are provided:

py/dem_exploit.py -- Dedup Est Machina (S&P'16)
py/ffs_exploit.py -- Flip Fen Shui (Black Hat Europe '16)
py/x86pte_exploits.py -- Exploits targeting parts of an x86(_64) page table entry (PTE)

We also provide a repository with profile outputs captured on vulnerable hardware available here.

How can I contribute?

I found a bug!

Report it on the bug tracker here.

hammertime's People

Contributors

Stargazers

Watchers

hammertime's Issues

segmentaion fualt

Hi,
when i run the profile app it fail:

$ sudo profile/profile 256m mem.msys
Segmentation fault

$ cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2018.4"
VERSION_ID="2018.4"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 9.2.1-17' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-9 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 9.2.1 20191102 (Debian 9.2.1-17)

any idea how to fix it?

Encountering problems during the build

Hi !

I read your article (https://www.vusec.net/projects/drammer/) and wanted to see how was this Rowhammer simulator. ... but I got errors earlier than I thought.

Following the steps described in "How do I get setup ?", I thought my dependencies were ok, but when I launch :

$ make demo

I encountered the following error :

in hammertime/perfev-util :

gcc -std=gnu99 -Wall - Wpedantic -O2 -fPIC -c perfev.c

perferv.c : In function 'attach' :
perfev.c:45:62: 'PERF_FLAG_FD_CLOEXEC' undeclared (first use in this function)
((flags & PERFEV_FLAG_CLOEXEC) ? PERF_FLAG_FD_CLOEXEC : 0);

and I can't figure out what is wrong :

hammertime/perfev-util/perfev.h contains the line #include <linux/perf_event.h>
uname -r returns "4.4.0-31-generic", so it is greater than 3.18
and perfev.c:44 doen't raise an error with the use of PERF_FLAG_PID_CGROUP.

Does anyone have any idea of where my problem comes from ? I would be very grateful.
Thank you in advance !

Niloss

offset meaning of FFS simulation (ffs_exploit.py)

hello, I was wondering what these offsets mean. Must it be this offset?

class GPGFlip(_PreciseFlipExploit): gpg_bit_offsets_down = [ # 1->0 54444, 54477, 54576, 54606, 54750, 55566, 55696, 55896, 56152, 56522, 56711, 56747, 56764, 56989, 57193, 57362, 57696, 57858, 76774, 77062, 77287, 78053, 78147, 79073, 79087, 79459, 80097, 80148, 80375, ] gpg_bit_offsets_up = [ # 0->1 56067, 55022, 54936, 80252, 56396, 77713, 77591, 78378, 56554, 79732, 55531, 55106, 76514, 79364, 77263, 56068, 57035, 54661, 57102, 78292, 54960, 76364, 55812, 55830 ]

Thank you!

Error in extracting DRAM memory configuration

Hi,

I tried to run this hammertime tool with a system having Intel architecture 'ivybridge'. However, the options available in the tool for intel are ivyhaswell and sandy as printed after running the command :

sudo ramses/tools/msys_detect.py

By selecting the ivyhaswell option and also, running the command "sudo dmidecode -t memory generate" the following error:

/dev/mem: No such file or directory

It seems that the problem is in extracting the DRAM memory configuraiton. It would be great if you could help in resolving this issue.

Regards,
Ayesha Siddique