ExplFrame: Exploiting Page Frame Cache for Fault Analysis of Block Ciphers
This work addresses a security vulnerability in modern operating systems that allows user-level attackers to compromise cryptographic implementations, representing an incremental but practical attack method.
The authors demonstrated that the Page Frame Cache in Linux can be exploited to steer a victim process's memory to vulnerable DRAM locations, enabling deterministic Rowhammer attacks to induce faults, and used this to recover the full secret key of OpenSSL AES through single bit faults in T-tables.
Page Frame Cache (PFC) is a purely software cache, present in modern Linux based operating systems (OS), which stores the page frames that are recently being released by the processes running on a particular CPU. In this paper, we show that the page frame cache can be maliciously exploited by an adversary to steer the pages of a victim process to some pre-decided attacker-chosen locations in the memory. We practically demonstrate an end-to-end attack, ExplFrame, where an attacker having only user-level privilege is able to force a victim process's memory pages to vulnerable locations in DRAM and deterministically conduct Rowhammer to induce faults. We further show that these faults can be exploited for extracting the secret key of table-based block cipher implementations. As a case study, we perform a full-key recovery on OpenSSL AES by Rowhammer-induced single bit faults in the T-tables. We propose an improvised fault analysis technique which can exploit any Rowhammer-induced bit-flips in the AES T-tables.