Rowhammer : a remote, javascript-induced DDR3 (DRAM) memory fault attack
Google researchers demonstrated in March that a bug affecting some dynamic random-access memory (DRAM) chips can be exploited to gain kernel privileges on Linux and other systems.
However, the exploits created by Google experts have been written in native code, they rely on special instructions, and they require physical access to the targeted machine.
Researchers have now demonstrated that such hardware fault attacks can be carried out remotely using JavaScript, and sandboxing and Data Execution Prevention (DEP) does not protect you.
▻http://www.slate.com/articles/technology/bitwise/2015/07/rowhammer_security_exploit_why_a_new_security_attack_is_truly_terrifying.html
Why is Rowhammer so scary? Because it doesn’t afflict your software but finds a weakness in your hardware, a physical problem with how current memory chips are constructed. So it doesn’t matter whether you’re using Linux, Windows, or iOS: If an Intel chip (or an AMD one, or possibly others) is inside, so is Rowhammer. Incredibly, [a French & Austrian] paper reveals how to exploit it from a simple webpage.
▻http://motherboard.vice.com/read/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen
They’ve called it Rowhammer.js, and it’s a piece of JavaScript code that can escape a web browser’s security sandbox and gain access to the physical memory of your computer.
The bad news is that if your computer is vulnerable, it’s a hardware issue, and there’s very little you personally can do about it. No software patches are coming to the rescue any time soon. The good news is that this hack is so complicated to pull off, you’re probably safe just from its level of difficulty alone.
[...]
A row hammer is when a program floods a particular row of bits with data, over and over again. This interrupts a memory controller’s refresh process, causing electrical charges to leak to neighboring rows of bits on purpose, manipulating data that an executable program wouldn’t normally have access to.
▻http://www.computerworld.com/article/2895898/google-researchers-hack-computers-using-dram-electrical-leaks.html
There are some mitigations for bit flipping in the latest DDR4 DRAM chips, which have succeeded DDR3 in many laptops and servers.
ECC memory is also not affected.
Some technical information:
▻http://www.ddrdetective.com/row-hammer
Very simply the problem occurs when the memory controller under command of the software causes an ACTIVATE command to a single row address repetitively. If the physically adjacent rows have not been ACTIVATED or Refreshed recently the charge from the over ACTIVATED row leaks into the dormant adjacent rows and causes a bit to flip. This failure mechanism has been coined ‘Row Hammer’ as a row of memory cells are being ‘hammered’ with ACTIVATE commands.
En français:
▻http://macbidouille.com/news/2015/07/31/le-rowhammer-bug-rend-la-dram-vulnerable-a-des-attaques
#exploit
#hack
#Rowhammer
#DDR3 #DRAM
The research paper: