Stories
Slash Boxes
Comments

SoylentNews is people

The Rowhammer is Here... Next Heartbleed?

posted by janrinok on Wednesday July 29 2015, @12:48AM   Printer-friendly
from the for-those-who-ask-for-javascript dept.

pkrasimirov writes:

A very interesting attack was unveiled in Friday, 24 June by Daniel Gruss, Clémentine Maurice, Stefan Mangard. Maybe the Rowhammer is the next Hearthbleed, or worse?

As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows can cause random bit flips in an adjacent row, resulting in the so called Rowhammer bug. This bug has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions to flush data from the cache.
In this paper we present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.

http://arxiv.org/abs/1507.06955

Full report can be found here (PDF)

Original Submission

 
This discussion has been archived. No new comments can be posted.
The Rowhammer is Here... Next Heartbleed? | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday July 29 2015, @09:05AM

    by Anonymous Coward on Wednesday July 29 2015, @09:05AM (#215343)

    Why is webmail essential to your daily work? What's wrong with SMTP/IMAP and a dedicated mail application? I consider webmail a crutch for situations where no proper mail application is available.

  • (Score: 2) by q.kontinuum on Wednesday July 29 2015, @10:55AM

    by q.kontinuum (532) on Wednesday July 29 2015, @10:55AM (#215368) Journal

    Because the webmail I have to use is outlook.com, with calendar etc. I prefer to use Linux instead of Windows, and didn't yet find a good, free outlook-alternative. I could use Windows as well, but I don't like it, and in regards of security I feel it would kind of defeat the purpose...

    --
    Registered IRC nick on chat.soylentnews.org: qkontinuum

    • (Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:38PM

      by Anonymous Coward on Wednesday July 29 2015, @03:38PM (#215508)

      Really, you failed to find Thunderbird? You also failed to find the Lightning and Exchange EWS add ons for Thunderbird?
      My goodness you must suck at your job

      • (Score: 2) by q.kontinuum on Wednesday July 29 2015, @04:21PM

        by q.kontinuum (532) on Wednesday July 29 2015, @04:21PM (#215527) Journal

        Really, you failed to find Thunderbird? You also failed to find the Lightning and Exchange EWS add ons for Thunderbird?

        No, I used it temporarily. Only the plugins didn't work as expected, Thunderbird kept eating 100%CPU and kept crashing once twice a day.

        --
        Registered IRC nick on chat.soylentnews.org: qkontinuum