Since its inception, Rowhammer exploits have rapidly evolved into increasingly sophisticated threats compromising data integrity and the control flow integrity of victim processes. Nevertheless, it remains a challenge for an attacker to identify vulnerable targets (i.e., Rowhammer gadgets), understand the outcome of the attempted fault, and formulate an attack that yields useful results. In this paper, we present a new type of Rowhammer gadget, called a LeapFrog gadget, which, when present in the victim code, allows an adversary to subvert code execution to bypass a critical piece of code (e.g., authentication check logic, encryption rounds, padding in security protocols). The LeapFrog gadget manifests when the victim code stores the Program Counter (PC) value in the user or kernel stack (e.g., a return address during a function call) which, when tampered with, repositions the return address to a location that bypasses a security-critical code pattern. This research also presents a systematic process to identify LeapFrog gadgets. This methodology enables the automated detection of susceptible targets and the determination of optimal attack parameters. We first show the attack on a decision tree algorithm to show the potential implications. Secondly, we employ the attack on OpenSSL to bypass the encryption and reveal the plaintext. We then use our tools to scan the Open Quantum Safe library and report on the number of LeapFrog gadgets in the code. Lastly, we demonstrate this new attack vector through a practical demonstration in a client/server TLS handshake scenario, successfully inducing an instruction skip in a client application. Our findings extend the impact of Rowhammer attacks on control flow and contribute to developing more robust defenses against these increasingly sophisticated threats.

翻译：自其出现以来，Rowhammer漏洞利用已迅速发展为日益复杂的威胁，危及受害者进程的数据完整性和控制流完整性。然而，攻击者仍面临识别易受攻击目标（即Rowhammer小工具）、理解尝试注入故障的后果以及构建能产生有用结果的攻击等挑战。本文提出一种新型Rowhammer小工具，称为LeapFrog小工具。当受害者代码中存在此类小工具时，攻击者可颠覆代码执行流程，从而绕过关键代码段（例如身份验证检查逻辑、加密轮次、安全协议中的填充操作）。LeapFrog小工具的产生条件是：受害者代码将程序计数器（PC）值（例如函数调用期间的返回地址）存储在用户或内核栈中，当该值被篡改后，返回地址被重定位至可绕过安全关键代码模式的位置。本研究还提出了一种系统化的方法来识别LeapFrog小工具。该方法支持自动检测易受攻击目标并确定最优攻击参数。我们首先在决策树算法上演示该攻击以展示其潜在影响；其次，我们将该攻击应用于OpenSSL以绕过加密过程并揭示明文；随后使用我们的工具扫描Open Quantum Safe库，并报告代码中LeapFrog小工具的数量；最后，通过在客户端/服务器TLS握手场景中的实际演示，我们成功在客户端应用程序中诱导了指令跳过。我们的研究结果扩展了Rowhammer攻击对控制流的影响，并为开发更强大的防御机制以应对这些日益复杂的威胁提供了依据。