Back in 2014, it turned out that computer memory is vulnerable to a special type of attack called Rowhammer. To address the new threat, memory designers changed a number of cell update mechanisms and assumed they were protecting DRAM modules from attacks. In March last year, it was revealed that DDR4 memory is still vulnerable to Rowhammer, although the hacking strategy was quite complex. New research has shown that DDR4 hacking is easy to do right in the browser.
A group of security experts from the Free University of Amsterdam and the Higher Technical School in Zurich (ETH Zurich) announced that they have identified a new and dangerous form of the Rowhammer attack. The new method is called SMASH (Synchronized MAny-Sided Hammering), which can be initiated using JavaScript. The researchers state that the long-term efforts of the developers of RAM have actually failed. Memory in the DDR4 generation is still vulnerable to Rowhammer attacks.
As a reminder, the Rowhammer attack means that memory cells undergo a series of fast and repeated rewriting cycles. Physically, DRAM chips charge and discharge capacitors, which are memory cells. Since the density of cells (capacitors) in modern memory chips is very high, electromagnetic interaction occurs between neighboring cells. Simply put, if you intensively "knock" on a certain area of memory, the cells adjacent to it also change the charge - a forced write to protected or inaccessible areas of memory occurs.
Rowhammer's new Target Row Refresh (TRR) bypass method relies on careful planning of hits and misses to replace the cache. To do this, requests to memory are synchronized with DRAM update commands. To facilitate the process, an exploit was created in JavaScript, which has proven to work in practice. Thus, the Firefox browser, on average, was able to be compromised in 15 minutes. In essence, the SMASH method is an open gateway to the sophisticated TRRespass attack identified last March. Now even an amateur can exploit this vulnerability. To do this, it is enough to create a website with malicious code or launch an exploit through malicious advertisements. Both of these paths allow an attacker to take control of the victim's browser to launch the exploit.
“The current version of SMASH relies on [transparent huge pages] to build effective self-upload patterns,” the researchers say. "Disabling THP with some performance gain will stop the current version of SMASH." But who's stopping you from creating other versions?
0 Comments