ExplFrame: Exploiting Page Frame Cache for Fault Analysis of Block Ciphers

Anirban Chakraborty^1,a, Sarani Bhattacharya², Sayandeep Saha^1,b and Debdeep Mukhopadhyay<sup>1,c

1</sup>Dept. of Computer Science IIT Kharagpur, India
^aanirban.chakraborty@iitkgp.ac.in
^bsahasayandeep@cse.iitkgp.ac.in
^cdebdeep@cse.iitkgp.ac.in
²COSIC, ESAT KU Leuven, Belgium
Sarani.Bhattacharya@esat.kuleuven.be

ABSTRACT

Page Frame Cache (PFC) is a purely software cache, present in modern Linux based operating systems (OS), which stores the page frames that were recently released by the processes running on a particular CPU. In this paper, we show that the page frame cache can be maliciously exploited by an adversary to steer the pages of a victim process to some pre-decided attacker-chosen locations in the memory. We practically demonstrate an end-to-end attack, ExplFrame, where an attacker having only user-level privilege is able to force a victim process's memory pages to vulnerable locations in DRAM and deterministically conduct Rowhammer to induce faults. As a case study, we induce single bit faults in the T-tables on OpenSSL (v1.1.1) AES using our proposed attack ExplFrame. We also propose an improvised fault analysis technique which can exploit any Rowhammer-induced bit-flips in the AES T-tables.

Keywords: Page Frame Cache, Buddy Allocator, OpenSSL, Rowhammer, DRAM, Fault Injection

---

Full Text (PDF)

© 2020 EDAA. All rights reserved.