[index][raw][main]
[noise@unvalidatedinput]$ man Mjolnir_Rowhammer
Mjolnir_Rowhammer(1) User Manuals Mjolnir_Rowhammer(1)
NAME
Mjolnir Rowhammer
Wed 8 Apr 21:01:41 BST 2015
DESCRIPTION
Google demonstrated a kernel privilege escalation that leverages row hammering to induce a
bit flip in a page table entry (PTE) which forces the PTE to point to a physical page con‐
taining a page table of the attacking process.
Tested a couple of DDR3 (non-ECC) machines and managed to induce a bit flip on my old MacBook
Air with DDR3...
# ./rowhammer_test Iteration 716 (after 1004.94s)
29.619 nanosec per iteration: 1.27955 sec for 43200000 iterations check error at
0x131207928: got 0xfffffffeffffffff
(check took 0.143148s) ** exited with status 256 (0x100)
# system_profiler SPMemoryDataType Memory:
Memory Slots:
ECC: Disabled
Upgradeable Memory: No
BANK 0/DIMM0:
Size: 2 GB
Type: DDR3
Speed: 1333 MHz
Status: OK
Manufacturer: 0x80CE
Part Number: 0x4D34373142353737334448302D4348392020
Serial Number: -
BANK 1/DIMM0:
Size: 2 GB
Type: DDR3
Speed: 1333 MHz
Status: OK
Manufacturer: 0x80CE
Part Number: 0x4D34373142353737334448302D4348392020
Serial Number: -
# system_profiler SPHardwareDataType 2015-03-11 12:29:29.998 system_profiler[3935:319584]
platformPluginDictionary: Can't get X86PlatformPlugin, return value 0 2015-03-11 12:29:30.000
system_profiler[3935:319584] platformPluginDictionary: Can't get X86PlatformPlugin, return
value 0 Hardware:
Hardware Overview:
Model Name: MacBook Air
Model Identifier: MacBookAir4,2
Processor Name: Intel Core i5
Processor Speed: 1.7 GHz
Number of Processors: 1
Total Number of Cores: 2
L2 Cache (per Core): 256 KB
L3 Cache: 3 MB
Memory: 4 GB
Boot ROM Version: MBA41.0077.B11
SMC Version (system): 1.73f66
Linux April 2015 Mjolnir_Rowhammer(1)
[noise@unvalidatedinput]$ ∎