Since its inception, Rowhammer exploits have rapidly evolved into increasingly sophisticated threats not only compromising data integrity but also the control flow integrity of victim processes. Nevertheless, it remains a challenge for an attacker to identify vulnerable targets (i.e., Rowhammer gadgets), understand the outcome of the attempted fault, and formulate an attack that yields useful results. In this paper, we present a new type of Rowhammer gadget, called a LeapFrog gadget, which, when present in the victim code, allows an adversary to subvert code execution to bypass a critical piece of code (e.g., authentication check logic, encryption rounds, padding in security protocols). The Leapfrog gadget manifests when the victim code stores the Program Counter (PC) value in the user or kernel stack (e.g., a return address during a function call) which, when tampered with, re-positions the return address to a location that bypasses a security-critical code pattern. This research also presents a systematic process to identify Leapfrog gadgets. This methodology enables the automated detection of susceptible targets and the determination of optimal attack parameters. We first showcase this new attack vector through a practical demonstration on a TLS handshake client/server scenario, successfully inducing an instruction skip in a client application. We then demonstrate the attack on real-world code found in the wild, implementing an attack on OpenSSL. Our findings extend the impact of Rowhammer attacks on control flow and contribute to the development of more robust defenses against these increasingly sophisticated threats.

翻译：自问世以来，Rowhammer利用手段已迅速演变为日益复杂的威胁，不仅危及数据完整性，还危及受害者进程的控制流完整性。然而，攻击者仍面临识别易受攻击目标（即Rowhammer小工具）、理解尝试故障的结果以及制定能产生有用结果的攻击的挑战。本文提出一种新型Rowhammer小工具，称为LeapFrog小工具，当存在于受害者代码中时，允许对手颠覆代码执行以绕过关键代码片段（例如，身份验证检查逻辑、加密轮次、安全协议中的填充）。当受害者代码将程序计数器（PC）值存储在用户或内核堆栈中（例如，函数调用期间的返回地址）时，该返回地址若被篡改，则会被重新定位到绕过安全关键代码模式的位置，从而产生LeapFrog小工具。本研究还提出了一种系统化流程来识别LeapFrog小工具。该方法能够自动检测易受攻击的目标并确定最佳攻击参数。我们首先通过一次对TLS握手客户端/服务器场景的实际演示，展示了这一新攻击向量，成功地在客户端应用程序中诱导了一次指令跳过。随后，我们演示了针对现实世界中发现的真实代码的攻击，即对OpenSSL实施了攻击。我们的发现扩展了Rowhammer攻击对控制流的影响，并有助于开发更强大的防御措施来应对这些日益复杂的威胁。