SoylentNews is people
SoylentNews
from the for-those-who-ask-for-javascript dept.
A very interesting attack was unveiled in Friday, 24 June by Daniel Gruss, Clémentine Maurice, Stefan Mangard. Maybe the Rowhammer is the next Hearthbleed, or worse?
As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows can cause random bit flips in an adjacent row, resulting in the so called Rowhammer bug. This bug has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions to flush data from the cache.
In this paper we present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.
http://arxiv.org/abs/1507.06955
Full report can be found here (PDF)
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 29 2015, @04:31PM
The problem with javascript is the laziness of developers in designing sites that require it to provide basic services to the site visitor. I browse SN all the time with JavaScript disabled, and the site functions.
Heck, even Amazon is somewhat functional with JavaScript disabled.
For most web developers, everything is a nail and JavaScript is the hammer.
It is poor design that an article or image link to one's site does not render the article or image unless JavaScript is enabled.
Design and implementation should have focus on what can be achieved with plain HTML and CSS, with JavaScript only done to enhance and optimize the experience. This approach actually tends to make the site easier to maintain due to reduced complexity of lots of JavaScript. I.e. What may take more time in the design phase of providing a non-JavaScript-enabled functional site, is saved in the maintenance costs of maintaining a large JavaScript code base, which still requires browser-specifc handling despite the state of current standards. There is also the benefit of making the site more accesible to the myriad of devices and user types.