.SH NAME

Mjolnir Rowhammer
.rj
Wed  8 Apr 21:01:41 BST 2015

.SH DESCRIPTION

Google demonstrated a kernel privilege escalation that leverages row hammering to induce a bit flip in a page table
entry (PTE) which forces the PTE to point to a physical page containing a page table of the attacking process.

Tested a couple of DDR3 (non-ECC) machines and managed to induce a bit flip on my old MacBook Air with DDR3...

# ./rowhammer_test
...
Iteration 716 (after 1004.94s)
  29.619 nanosec per iteration: 1.27955 sec for 43200000 iterations
check
error at 0x131207928: got 0xfffffffeffffffff
  (check took 0.143148s)
** exited with status 256 (0x100)

# system_profiler SPMemoryDataType
Memory:

    Memory Slots:

      ECC: Disabled
      Upgradeable Memory: No

        BANK 0/DIMM0:

          Size: 2 GB
          Type: DDR3
          Speed: 1333 MHz
          Status: OK
          Manufacturer: 0x80CE
          Part Number: 0x4D34373142353737334448302D4348392020
          Serial Number: -

        BANK 1/DIMM0:

          Size: 2 GB
          Type: DDR3
          Speed: 1333 MHz
          Status: OK
          Manufacturer: 0x80CE
          Part Number: 0x4D34373142353737334448302D4348392020
          Serial Number: -

# system_profiler SPHardwareDataType
2015-03-11 12:29:29.998 system_profiler[3935:319584] platformPluginDictionary: Can't get X86PlatformPlugin, return value 0
2015-03-11 12:29:30.000 system_profiler[3935:319584] platformPluginDictionary: Can't get X86PlatformPlugin, return value 0
Hardware:

    Hardware Overview:

      Model Name: MacBook Air
      Model Identifier: MacBookAir4,2
      Processor Name: Intel Core i5
      Processor Speed: 1.7 GHz
      Number of Processors: 1
      Total Number of Cores: 2
      L2 Cache (per Core): 256 KB
      L3 Cache: 3 MB
      Memory: 4 GB
      Boot ROM Version: MBA41.0077.B11
      SMC Version (system): 1.73f66