Rowhammer attacks, which were first discovered in 2014, continue to draw the attention of researchers and academics despite the mitigation measures put in place by chip manufacturers and industries.
What’s the big deal?
Academics from Vrije University and ETH have published a new research paper about yet another variant of the Rowhammer attack.
Dubbed SMASH (Synchronized MAny-Sided Hammering), the attack is triggered by a new JavaScript exploit on modern DDR4 RAM chips.
This can enable attackers to arbitrarily read and write primitive in the browser.
The interesting aspect of the new variant is it does not rely on software vulnerabilities or bugs. Instead, it takes advantage of the mitigations implemented for the previous Rowhammer bug to initiate the exploit chain.
What is Rowhammer?
Rowhammer is an umbrella term for a class of exploits that leverage a fault in hardware design with DDR4 systems.
In 2014, the exploit was induced with rapid read/write operations on a memory row over and over again, ultimately causing the loss of data.
Since then, multiple methods have been devised to exploit DRAM integrated circuits. These are ECCploit, Rowhammer.js, Throwhammer, JackHammer, and RAMBleed.
In response to the findings, industry-wide countermeasures like Target Row Refresh (TRR) were touted to be the ultimate solution. In March 2020, researchers demonstrated a fuzzing tool called ‘TRRespass’ could be used to make Rowhammer attacks work on DDR4 cards.
From TRRespass to SMASH
While TRRespass was achieved by using native code, no methods were available to trigger them in the browser from JavaScript. This led to the discovery of SMASH, granting attackers to read and write in the browser.
The exploit chain is initiated when a victim visits a malicious website under the adversary’s control of adversaries or a legitimate website that contains a malicious ad.
Worth noting
The revelation of new research confirms that the Rowhammer bug continues to be a threat for web users.
However, there’s something good in every bad situation, and in this case, researchers claim that exploiting the Rowhammer bug is not an easy task.
Additionally, disabling Transparent Huge Pages (THP) would stop the current instance of SMASH.
“Furthermore, our exploit relies specifically on corrupting pointers in the browser to break ASLR and pivot to a counterfeit object. Protecting the integrity of pointers in software or in hardware (e.g., using PAC [23]) would stop the current SMASH exploit," added researchers.