New JavaScript Exploit Can Now Carry Out DDR4 Rowhammer Attacks

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,443
Academics from Vrije University in Amsterdam and ETH Zurich have published a new research paper describing yet another variation of the Rowhammer attack.

Dubbed SMASH (Synchronized MAny-Sided Hammering), the technique can be used to successfully trigger the attack from JavaScript on modern DDR4 RAM cards, notwithstanding extensive mitigations that have been put in place by manufacturers over the last seven years.

"Despite their in-DRAM Target Row Refresh (TRR) mitigations, some of the most recent DDR4 modules are still vulnerable to many-sided Rowhammer bit flips," the researchers said.

"SMASH exploits high-level knowledge of cache replacement policies to generate optimal access patterns for eviction-based many-sided Rowhammer. To bypass the in-DRAM TRR mitigations, SMASH carefully schedules cache hits and misses to successfully trigger synchronized many-sided Rowhammer bit flips."
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,441
Specifically, the exploit chain is initiated when a victim visits a malicious website under the adversary's control or a legitimate website that contains a malicious ad, taking advantage of the Rowhammer bit flips triggered from within the JavaScript sandbox to gain control over the victim's browser.

SMASH is a new JavaScript-based attack that gives the attacker an arbitrary read and write primitive in the browser. It does not rely on software vulnerabilities or bugs, but instead takes advantage of the much harder to mitigate Rowhammer bug in hardware to initiate the exploit chain.

However, exploiting the Rowhammer bug to trigger bit flips is not an easy task. Modern memory modules come equipped with a dedicated in-memory defense against Rowhammer, called Target Row Refresh (TRR). Although previous work has shown that TRR is vulnerable to more advanced access patterns than ordinary double-sided Rowhammer, constructing such patterns from inside high-level JavaScript is difficult.

SMASH demonstrates, however, that it is not impossible to build fast, Rowhammer-inducing, and TRR-evading access patterns through cache eviction, without relying on low-level flushing instructions such as CLFLUSH. In addition, our research yielded a new insight about TRR. We were able to synchronize memory requests with the refresh commands sent to DRAM by the memory controller, allowing for very fine-grained control of when and which addresses are exposed to TRR—and therefore also when and which addresses are not. Our work confirms that the Rowhammer bug continues to threaten Web users. Worse still, our insights on synchronization show that the attacker has more control than previously thought, and will make it even harder to build the proper Rowhammer defense we need as long as the bug itself persists.
 
F

ForgottenSeer 85179

from their PDF:
Our end-to-end exploit, called SMASH, can fully compromise the Firefox browser with all the mitigations enabled in 15 minutes on average.
No word about other Browser's.
 
  • Like
Reactions: venustus

Freki123

Level 9
Verified
Aug 10, 2013
399
On github they state: ".... Will only work with THP enabled and after having set the target-specific parameters (see comment in source)."
Is THP (transparent huge pages?) part of an normal windows 10 install? I only found it mentioned as used in database programms or ubuntu/linux
 
Top