Code & Bug FixesSoftware and Apps

JavaScript based GLitch pwns browsers by flipping bits inside memory chips.

Dubbed GLitch, the exploit is the first to show that GPUs can flip individual bits stored in dynamic random-access memory.

Over the past few years, there has been a steady evolution in Rowhammer, the once largely theoretical attack that exploits physical defects in memory chips to tamper with the security of the devices they run on. On Thursday, researchers are unveiled the most practical demonstration yet of Rowhammer’s power and reach: an exploit that remotely executes malicious code on Android phones by harnessing their graphical processors.

The advance gives attackers greater flexibility over previous techniques that relied solely on CPUs. It’s also the first Rowhammer attack that uses standard JavaScript to compromise a smartphone, meaning it can be executed when users do nothing more than visit a malicious website. Another key innovation: on average, GLitch takes less than two minutes to compromise a device, a significant improvement over previous Rowhammer exploits.

GLitch gets its name and idiosyncratic capitalization because it uses the WebGL programming interface for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips. The term Rowhammer was coined because the exploit class accesses—or “hammers”—specific memory blocks known as rows inside a chip thousands of times per second. Attackers use it to alter crucial pieces of data by changing zeros to ones and vice versa. The physical weakness is the result of ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors.

Like all of the Rowhammer attacks that have preceded it, the GLitch proof-of-concept exploit isn’t mature enough to pose an immediate threat to most end users. Because of the significant amount of reverse engineering required and the advent of Rowhammer mitigations in some newer phones, the PoC currently works only on a Nexus 5 phone, which Google discontinued in 2015. With refinements, however, the novel attack vector could one day provide a more robust way to compromise a serious vulnerability in both computers and phones that can be mitigated but never actually patched.

This is the first work I know of that can take advantage of both GPU and remote JavaScript execution to take over a remote machine by exploiting the Rowhammer failure mechanism. As a result, I think its implications are very significant—GPUs are employed in all interesting mobile systems, and if the DRAM is vulnerable to Rowhammer, one can exploit that GPU to take over the system. The fact that the attack is end-to-end and does not require the user to install a new app to be performed makes it even more significant since the barrier to attack is low. So, I think this paper presents a significant and very clever demonstration of how the Rowhammer vulnerability can lead to another attack. – Onur Mutlu

Onur Mutlu cowrote the 2014 paper that introduced Rowhammer as a vulnerability.

For the time being, GLitch, as with most other Rowhammer exploits, poses little immediate threat to most phone and computer users. Compared with more mundane attacks that use malicious spam or compromised websites to spread malware, Rowhammer exploits are extremely expensive to develop and unreliable to use. With the exception of the most high-value marks targeted in exotic nation-sponsored hacks, there’s little chance of GLitch exploits being used in the wild.

At the same time, the GLitch research is immensely important because it demonstrates a never-before-seen vector for exploiting a hardware weakness that can never be patched. Not only is the GPU method almost completely overlooked, it’s also more effective than better-known methods that use CPUs.

Most important of all, GLitch illuminates the previously unknown susceptibility of smartphones and potentially other types of devices used by billions of people around the world. And for these reasons, Thursday’s paper and accompanying webpage should be required reading for anyone who develops hardware or software, particularly those who dismiss it as too esoteric an issue to warrant serious concern.

“Rowhammer in many ways has been ignored by vendors hiding behind [the claim] that it’s difficult and usually requires local execution or deduplication which has been removed from Windows by now,” said Anders Fogh, a principal security researcher with GDATA Advanced Analytics who spoke about Rowhammer at the 2015 Black Hat security conference. “This [research] should put some much needed focus on the fact that what is often seen only as a reliability issue is often a severe security issue.”

ARS Technica

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *