Researchers from Vrije University in Amsterdam and ETH Zurich describe a new variant of the Rowhammer attack that uses a JavaScript exploit to fully compromise the DDR4 RAM cards and Firefox browser.
Dubbed SMASH (Synchronized Many-Sided Hammering) by the researchers, the technique can be used to hack modern DDR4 RAM memory modules. Researchers demonstrated that many of these memory cards are still vulnerable despite the many mediating measures taken by the manufacturers.
“Despite their in-DRAM Target Row Refresh (TRR) mitigations, some of the most recent DDR4 modules are still vulnerable to many-sided Rowhammer bit flips,” the researchers said.
This type of attack is called Rowhammer. During the attack, a malicious code repeatedly accesses the same “row” of transistors on a memory chip in a fraction of a second (called Hammering) until an electrical charge leaks from the target row to an adjacent one causing data loss.
“SMASH exploits high-level knowledge of cache replacement policies to generate optimal access patterns for eviction-based many-sided Rowhammer. To bypass the in-DRAM TRR mitigations, SMASH carefully schedules cache hits and misses to successfully trigger synchronized many-sided Rowhammer bit flips.”
The researchers developed an end-to-end JavaScript exploit that can shut down Firefox browser in 15 minutes on average.
Even industry-wide countermeasures like Target Row Refresh (TRR), which were touted as the “ultimate solution” for the Rowhammer attacks, were demonstrated to be ineffective against a new tool called “TRRespass” that could still compromise the TRR-protected DDR4 cards. Worse yet, the new SMASH method allows attackers to knock the device or a browser off with a piece of JavaScript code.
The attack chain starts with a victim visiting an attacker-controlled website or a legitimate website infected with a malicious ad. Then, as researchers demonstrated, the attackers can trigger bit flips on TRR-enabled DDR4 with the use of a JavaScript exploit.
The research shows that the Rowhammer type of attacks continues to be an active threat for Web users.
