Belangrijkste concepten
The LeapFrog attack leverages Rowhammer-induced bit flips in the Program Counter (PC) value stored in the stack to subvert the control flow of victim processes, enabling the bypass of security-critical code sections such as authentication checks and encryption routines.
Samenvatting
The paper introduces a novel Rowhammer attack vector called LeapFrog gadgets, which target the Program Counter (PC) value stored in the user or kernel stack during function calls and context switches. By strategically flipping bits in the PC, an attacker can redirect the execution flow to bypass security-critical code sections, such as authentication checks and encryption routines.
The authors present a systematic methodology to identify LeapFrog gadgets, implemented in a tool called MFS (Multidimensional Fault Simulator). MFS uses dynamic binary instrumentation and analysis to detect potential LeapFrog gadgets in target binaries. It simulates bit flips in the PC value and observes the resulting changes in program behavior, such as authentication bypass or encryption skipping.
The paper demonstrates the feasibility of the LeapFrog attack through practical experiments on three real-world applications: OpenSSL, sudo, and a TLS handshake scenario. In the OpenSSL case, the attack was able to bypass encryption for 36 different ciphers, revealing the plaintext. For sudo, the attack enabled privilege escalation by bypassing the password authentication check. In the TLS handshake scenario, the attack successfully induced an instruction skip, allowing the client to bypass the server's authentication.
The findings in this paper extend the impact of Rowhammer attacks on control flow and contribute to the development of more robust defenses against these increasingly sophisticated threats.
Citaten
"We introduce the concept of LeapFrog gadgets, which allows an attacker to bypass security critical areas of code by faulting the PC value stored in stack."
"We validate the feasibility of this attack in practical scenarios by successfully bypassing a TLS handshake in standard OpenSSL implementations."
"We introduce the first simulation tool designed to identify LeapFrog gadgets. This tool represents an improvement over existing methodologies by systematically analyzing binaries with our Intel Pin-based tool called MFS and incorporating time-domain analysis in simulations."