Drammer is an attack that exploits the Rowhammer [1] hardware vulnerability on Android devices. It is the first Android root exploit that requires no user permissions and relies on no software vulnerability. Drammer is an instance of the FFS [2] exploitation technique.
Drammer was published and presented as a scientific paper at the ACM Conference on Computer and Communications Security (CCS) in Vienna, October 2016. Both ArsTechnica and WIRED published an article about it.
Paper: https://vvdveen.com/publications/drammer.pdf
Presentation: https://www.youtube.com/watch?v=lTaMvBN1PoA
Slides: https://vvdveen.com/publications/drammer.slides.pdf
Project page: https://vusec.net/projcets/drammer
At HITB, I will present Drammer from a hacker’s perspective. Aside from the core material, there will be a technical story-telling on how Drammer was made. Most importantly, I will discuss the things that we tried to flip bits on Android/ARM devices and how we were on the verge of writing a negative results paper (“Why Johnny cannot flip a bit on ARM”).
[1] Rowhammer is a hardware bug that allows attackers to manipulate data in memory without accessing it. More specifically, by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one). The work on Drammer was the first to show that Rowhammer is possible on mobile, ARM-based hardware.
[2] Flip Feng Shui is a technique that allows for reliable exploitation of a hardware vulnerability (e.g., Rowhammer) by combining it with a memory massaging primitive (to land sensitive data on a vulnerable location). Drammer is the first to show that such deterministic Rowhammer exploitation is possible without relying on fancy memory management features. Although we focus mainly on mobile devices, this makes that Drammer comes with a wider impact; allowing FFS attacks without memory deduplication, for example.