Page Frame Cache (PFC) is a purely software cache, present in modern Linux based operating systems (OS), which stores the page frames that are recently being released by the processes running on a particular CPU. In this paper, we show that the page frame cache can be maliciously exploited by an adversary to steer the pages of a victim process to some pre-decided attacker-chosen locations in the memory. We practically demonstrate an end-to-end attack, ExplFrame, where an attacker having only user-level privilege is able to force a victim process's memory pages to vulnerable locations in DRAM and deterministically conduct Rowhammer to induce faults. We further show that these faults can be exploited for extracting the secret key of table-based block cipher implementations. As a case study, we perform a full-key recovery on OpenSSL AES by Rowhammer-induced single bit faults in the T-tables. We propose an improvised fault analysis technique which can exploit any Rowhammer-induced bit-flips in the AES T-tables.

中文翻译：

---

ExplFrame：利用页帧缓存进行块密码故障分析

页帧缓存 (PFC) 是一种纯粹的软件缓存，存在于现代基于 Linux 的操作系统 (OS) 中，用于存储最近由运行在特定 CPU 上的进程释放的页帧。在本文中，我们展示了页面帧缓存可以被对手恶意利用，将受害者进程的页面引导到内存中一些预先确定的攻击者选择的位置。我们实际演示了一种端到端攻击 ExplFrame，其中只有用户级权限的攻击者能够强制受害者进程的内存页面到 DRAM 中的易受攻击的位置，并确定性地执行 Rowhammer 以诱发故障。我们进一步表明，可以利用这些错误来提取基于表的分组密码实现的密钥。作为案例研究，我们通过 T 表中由 Rowhammer 引起的单个位故障对 OpenSSL AES 执行完整密钥恢复。我们提出了一种改进的故障分析技术，它可以利用 AES T 表中任何由 Rowhammer 引起的位翻转。