Exploiting DRAM bitflips to get a root shell
100 points by goranmoomin 14 hours ago | 12 comments
  • sans_souse 13 hours ago |
    This is some low level hacking right here
  • backspace_ 13 hours ago |
    Do I need a lighter or the matrix soundtrack to accomplish this hack.
  • ano-ther 13 hours ago |
    Impressive! And a music track like that should be standard for all progress bars.
  • dan_linder 11 hours ago |
    So if we don't have the addition of the antenna wire, is the usual case shielding sufficient or do we just need larger/intense pulses, more of them, or somewhere in between? is like to try this at home, but not if I have to solder a wire on the already small RAM traces.
    • yonatan8070 11 hours ago |
      If you try it on a desktop system, the RAM is likely going to be in through-hole DIMM slots, so the soldering will be a lot more managable than in a laptop
    • wrs 5 hours ago |
      I’m not sure how you would limit the incoming interference to a single bit, unless you’re very good at beam forming antennas.
  • CTDOCodebases 11 hours ago |
    I remember kids using these things into Street Fighter II machines to get free credits.
  • azalemeth 10 hours ago |
    Yet again, I wish we all had ECC ram!

    Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is

    > Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB

    > Exploit strat: We fill up as much of physical memory as possible with page tables.

    > When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.

  • mikewarot 9 hours ago |
    <rant value="verbose">

    It's circuit bending, or Fritzing, not finding a clever exploit in DRAM. Even an ECC module isn't going to help you if it's on the CPU data bus.

    I just hope we don't all end up suffering through yet another 50% slowdown in patches to the Kernel to avoid this nonsense because someone buys the BS and now it has to be "fixed", like the row hammer software fixes, instead of just fixing the dam DRAM modules, and better hardware.

    </rant>

    Another analogy:

    It's like when a brain surgeon probes your cerebellum and suddenly you smell strawberry or hear Brahms. The surgeon certainly doesn't know what reaction you have unless you tell them.

    You wouldn't go around later saying "Dr Jones made me smell strawberries, on a whim, certainly he's a G*d"

    • nwah1 5 hours ago |
      If there is no unpredictable ASLR then in this case it is as if the surgeon knows exactly where to probe to make you smell strawberries.
  • captn3m0 7 hours ago |
    Some context from the author’s fedi account:

    > I'm exploring this because I think it might be useful for console hacking - where you have physical access, and the ability to execute sandboxed code (say, inside a web browser)

    ID: @[email protected] (they ask not to link to their fedi instance).