Crash the flash: an end-to-end rowhammer attack on an NAND flash system

Abstract

Rowhammer is an attack that repeatedly reads a row in a specific area and causes electrical errors to flip bits in adjacent rows that can cause data modification, system memory corruption, or even privilege escalation. As NAND flash memory used in data centers has massive personal information, rowhammer attack on NAND flash can be critical. Recently, IBM researchers have presented that a rowhammer attack on a NAND flash SSD can trigger privilege escalation. However, they demonstrated only a part of the entire attack process. Therefore, it is necessary to consider the overall attack process and in-depth research on the NAND rowhammer attack. In this paper, we show the feasibility of end-to-end row hammer attack on NAND flash. We propose an end-to-end rowhammer attack in the emerging storage system and challenges that attack must overcome. The target system is composed of Open Channel SSD, which discloses the internal structure to the host and SPDK, which allows users to directly manage the data in the device. Error modeling and bit flip mode, which defines how bits flip, are designed to conduct rowhammer attack using QEMU emulator. We analyze the possibility of rowhammer attack with bit flip mode, write/erase cycle, page count, and the state of the victim block. As a result, the attack succeeds when the write/erase cycle was 10,000 or more, and attack success rate is higher when sequential bit flips occur. Based on this analysis, we present a practical rowhammer attack method in which an attacker can access victim data without any authorities.