CAn't Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks

Rowhammer is a hardware bug that can be exploited to implement privilege escalation and remote code execution attacks. Previous proposals on rowhammer mitigation either require hardware changes or follow heuristic-based approaches (based on CPU performance counters). To date, there exists no instant protection against rowhammer attacks on legacy systems. In this paper, we present the design and implementation of two practical and efficient software-only defenses against rowhammer attacks. Our defenses prevent the attacker from leveraging rowhammer to corrupt physically co-located data in memory that is owned by a different system entity. Our first defense, B-CATT, extends the system bootloader to disable vulnerable physical memory. B-CATT is highly practical, does not require changes to the operating system, and can be deployed on virtually all x86-based systems. While B-CATT is able to stop all known rowhammer attacks, it does not yet tackle the fundamental problem of missing memory isolation in physical memory. To address this problem, we introduce our second defense G-CATT, a generic solution that extends the physical memory allocator of the OS to physically isolate the memory of different system entities (e.g., kernel and user space). As proof of concept, we implemented B-CATT on x86, and our generic defense, G-CATT, on x86 and ARM to mitigate rowhammer-based kernel exploits. Our extensive evaluation shows that both mitigation schemes (i) can stop available real- world rowhammer attacks, (ii) impose virtually no run-time overhead for common user and kernel benchmarks as well as commonly used applications, and (iii) do not affect the stability of the overall system.