rowhammer_test_ext: Extended version of rowhammer_test
This directory contains an extended version of rowhammer_test which reports physical memory addresses.
rowhammer_test_ext has the following differences from rowhammer_test:
It reports the physical addresses of victim locations (memory locations where bit flips occur) and aggressor locations (pairs of memory locations which cause the bit flips when accessed).
When rowhammer_test_ext finds that accessing a batch of addresses produces a bit flip, the program tries to narrow down which pair of addresses in the batch will reproduce the bit flip.
This version is Linux-specific, because it uses
/proc/self/pagemapto find the physical addresses of pages.
This version keeps on running when it finds a bit flip, rather than exiting.
How to run the test
If you want to save the results, you can run:
./rowhammer_test_ext 2>&1 | tee -a log_file
Why a separate "extended version"?
rowhammer_test_ext.cc is based on rowhammer_test.cc, but I am keeping them separate so that rowhammer_test.cc stays as simple and portable as possible.
rowhammer_test.cc is a very simple demonstration of how to do row hammering using random address selection, and I don't want to clutter it with Linux-specific code that might fail to build or run on other flavours of Unix.
When the program finds a pair of aggressor addresses that reproduce a bit flip, it outputs a line of the following format:
addr_agg2are the physical addresses of the aggressor locations.
addr_victimis the physical address of the 64-bit victim location, where the bit flip occurred.
bit_numberis the number of the bit that flipped within the 64-bit victim location.
This is useful for checking whether the bit flip can be used for particular exploits, such as the PTE-based exploit (described in the blog post) which involves flipping particular bits in a page table entry (PTE).
flips_tois the value that the bit flipped to, either 0 or 1. (However, note that the test currently initialises memory to all 1s, which means that
flips_towill be 0.)