Dubbed GLitch, the exploit is the first to show that GPUs can flip individual bits stored in dynamic random-access memory.
Over the past few years, there has been a steady evolution in Rowhammer, the once largely theoretical attack that exploits physical defects in memory chips to tamper with the security of the devices they run on. On Thursday, researchers are unveiled the most practical demonstration yet of Rowhammer’s power and reach: an exploit that remotely executes malicious code on Android phones by harnessing their graphical processors.
GLitch gets its name and idiosyncratic capitalization because it uses the WebGL programming interface for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips. The term Rowhammer was coined because the exploit class accesses—or “hammers”—specific memory blocks known as rows inside a chip thousands of times per second. Attackers use it to alter crucial pieces of data by changing zeros to ones and vice versa. The physical weakness is the result of ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors.
Like all of the Rowhammer attacks that have preceded it, the GLitch proof-of-concept exploit isn’t mature enough to pose an immediate threat to most end users. Because of the significant amount of reverse engineering required and the advent of Rowhammer mitigations in some newer phones, the PoC currently works only on a Nexus 5 phone, which Google discontinued in 2015. With refinements, however, the novel attack vector could one day provide a more robust way to compromise a serious vulnerability in both computers and phones that can be mitigated but never actually patched.
Onur Mutlu cowrote the 2014 paper that introduced Rowhammer as a vulnerability.
For the time being, GLitch, as with most other Rowhammer exploits, poses little immediate threat to most phone and computer users. Compared with more mundane attacks that use malicious spam or compromised websites to spread malware, Rowhammer exploits are extremely expensive to develop and unreliable to use. With the exception of the most high-value marks targeted in exotic nation-sponsored hacks, there’s little chance of GLitch exploits being used in the wild.
At the same time, the GLitch research is immensely important because it demonstrates a never-before-seen vector for exploiting a hardware weakness that can never be patched. Not only is the GPU method almost completely overlooked, it’s also more effective than better-known methods that use CPUs.
Most important of all, GLitch illuminates the previously unknown susceptibility of smartphones and potentially other types of devices used by billions of people around the world. And for these reasons, Thursday’s paper and accompanying webpage should be required reading for anyone who develops hardware or software, particularly those who dismiss it as too esoteric an issue to warrant serious concern.
“Rowhammer in many ways has been ignored by vendors hiding behind [the claim] that it’s difficult and usually requires local execution or deduplication which has been removed from Windows by now,” said Anders Fogh, a principal security researcher with GDATA Advanced Analytics who spoke about Rowhammer at the 2015 Black Hat security conference. “This [research] should put some much needed focus on the fact that what is often seen only as a reliability issue is often a severe security issue.”