Row Hammer Exploitable via JavaScript

Thursday, July 30, 2015 @ 04:07 PM gHale

The Row Hammer exploit can end up exploited via JavaScript, new research found.

Researchers published a report in March detailing a problem with some memory chips that can end up exploited to give access to any computer using the latest DDR3 DRAM chips.

Security Appliance Holes Fixed
Red Hat Patches Vulnerabilities
Mobile IE Zero Days
OS X Privilege Escalation Vulnerability

That is the Row Hammer exploit that works by constantly hammering a row of memory cells until they create an electromagnetic interference for the adjacent rows, causing them to lose data and alter normal operation.

The original research showed how this type of attack was only possible from the local machine, which meant the computer had to be suffering an infection.

As it turns out the new research by Daniel Gruss, Clémentine Maurice, and Stefan Mangard from universities in France and Austria, shows how Row Hammer can be actively end up exploited via JavaScript.

This means an attacker can simply put his exploit code in a JavaScript file and wait for random users to access a Web page and download the file.

The researchers used Rowhammer.js to test out their theory and found the “attack runs in [a] sandboxed JavaScript which is present and enabled by default in every modern browser.”

“Although implemented in JavaScript, the attack technique is independent of the specific CPU microarchitecture, programming language and runtime environment, as long as the stream of memory accesses is executed fast enough,” the researchers said in their paper.

As with the original Row Hammer bug, the JavaScript-version of this exploit is unpatchable at a software level, and a general BIOS update would be way to fix it.

Researchers said slowing down the speed at which JavaScript ends up executed in the browser could diminish the memory cell row hammering effect, but browser manufacturers will never embrace this recommendation because of their obsession with their JS runtime benchmarks and trying to out-do their competition.

“Rowhammer.js is the first remote software-induced hardware-fault attack” which would make it a real problem if the Row Hammer bug wouldn’t be so hard to implement and control, the researchers said.