Software-only Reverse Engineering of Physical DRAM Mappings for Rowhammer Attacks

In recent years, the ability to induce bit-flips in DRAM cells via software-only driven charge depletion has been successfully exploited to gain unauthorized privileged access to the functional resources on fixed and mobile computational platforms. The first crucial step in executing these attacks, collectively known as rowhammer attacks, concerns gaining the knowledge of how virtual memory addresses are mapped onto the geometric addresses of the physical DRAM module(s). We propose a methodology to reverse engineer such maps without direct physical probing of the DRAM bus of the target platform. We validate the correctness of the inferred maps against some publicly available data about modern Intel CPUs maps and show that they depend on the number of installed memory modules.