/rowhammer_armv8

Trigger the rowhammer bug on ARMv8

Primary LanguageC

rowhammer_armv8

The preliminary results are published in our paper "Triggering Rowhammer Hardware Faults on ARM: A Revisit".

This code works on board AML-S905X-CC(Le Potato). To use it on other boards, some minor modifications may be needed.

NOTE: As our focus is on how to trigger the rowhammer bug on ARMv8-A platforms, some of the technical challenges like obtaining the physical-to-DRAM address mapping and finding appropriate aggressor rows are solved directly by leveraging some privileged interfaces/methods. However, after pairs of aggressor rows are acquired, the hammering process is unprivileged.

How to run our experiments

Get mapping from physical address to DRAM

We implement this in a kernel module. To perform double-sided hammering, we are interested in the second lowest row bit. (We found the second lowest row bit is bit 16 of the physical address on AML-S905X-CC.)

cd 1_phy2dram_mapping 
make  
make test

Install pagemap lib

This library can be used to read "/proc/<pid>/pagemap" file and find candidate aggressor pairs

cd 2_find_aggressors  
make  
make install

Start rowhammer test

Run rowhammer program and output flippable bits

cd 3_rowhammer_test  
make  
make run

Sending output as input of experiments

make send

Experiments

  • Experiment 1: Finding relationships between the number of iterations and the number of bit flips

  • Experiment 2: Measuring the execution time of different apporaches

  • Experiment 3: Comparing the effectiveness of different approaches

  • Experiment 4: Measuring the performance of multi-threaded hammering

    • You can also disable cache maintenance instructions

Modify refresh rate (optional)

  • Applicable on AML-S905X-CC(Le Potato) only

  • Can modify refresh interval of DRAM

  • Only used to quickly find potential aggressor rows