This pre-print describes some use of rowhammer attacks against sudo: https://arxiv.org/pdf/2309.02545.pdf. The mitigations listed in the section feel a bit "only half a solution", since opcode flipping is still a risk; and opinions among security researchers I consulted is that there is only so much you can do in software to protect against this.
Still, some low-hanging fruit which is easily done in Rust is to use arbitrary enum discriminants; e.g. we could not just protect the "is this user authentication bit", but the entire AST of the sudoers parser.
This pre-print describes some use of rowhammer attacks against sudo: https://arxiv.org/pdf/2309.02545.pdf. The mitigations listed in the section feel a bit "only half a solution", since opcode flipping is still a risk; and opinions among security researchers I consulted is that there is only so much you can do in software to protect against this.
Still, some low-hanging fruit which is easily done in Rust is to use arbitrary enum discriminants; e.g. we could not just protect the "is this user authentication bit", but the entire AST of the sudoers parser.
original sudo has recently added similar mitigations, see: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f#diff-b8ac7ab4c3c4a75aed0bb5f7c5fd38b9ea6c81b7557f775e46c6f8aa115e02cd
(hat-tip to Todd Miller for sharing)