from the for-those-who-ask-for-javascript dept.
A very interesting attack was unveiled in Friday, 24 June by Daniel Gruss, Clémentine Maurice, Stefan Mangard. Maybe the Rowhammer is the next Hearthbleed, or worse?
As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows can cause random bit flips in an adjacent row, resulting in the so called Rowhammer bug. This bug has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions to flush data from the cache.
In this paper we present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.
http://arxiv.org/abs/1507.06955
Full report can be found here (PDF)
Related Stories
MRAM Tech Startup Says Its Device Solves DRAM's Row Hammer Vulnerability
Fremont, Calif.-based magnetic RAM startup, Spin Memory, says it has developed a transistor that allows MRAM and resistive RAM to be scaled down considerably. According to the company, the device could also defeat a stubborn security vulnerability in DRAM called Row Hammer.
Spin Memory calls the device the "Universal Selector." In a memory cell, the selector is the transistor used to access the memory element—a magnetic tunnel junction in MRAM, a resistive material in RRAM, and a capacitor in DRAM. These are usually built into the body of the silicon, with the memory element constructed above them. Making the selector smaller and simplifying the layout of interconnects that contact it, leads to more compact memory cells.
[...] With DRAM, the main memory of choice for computers, the Universal Selector has an interesting side-effect: it should make the memory immune to the Row Hammer. This vulnerability occurs when a row of DRAM cells is rapidly charged and discharged. (Basically, flipping the bits at an extremely high rate.) Stray charge from this action can migrate to a neighboring row of cells, corrupting the bits there. [...] According to Lewis, the new device is immune to this problem because the transistor channel is outside of the bulk of the silicon, and so it's isolated from the wandering charge. "This is a root-cause fix for row hammer," he says.
Related: The Rowhammer is Here... Next Heartbleed?
DRAM Leakage Side Effect Exploited for Privilege Escalation on Both DDR3 & DDR4
Everspin Announces New MRAM Products
Potentially Disastrous Rowhammer Bitflips Can Bypass ECC Protections
Samsung Announces Mass Production of Commercial Embedded Magnetic Random Access Memory (eMRAM)
Researchers Use Rowhammer Bit Flips to Steal 2048-bit Crypto Key
GlobalFoundries Produces Embedded Magnetoresistive Non-Volatile Memory (eMRAM) on a "22nm" Process
(Score: 3, Insightful) by Anonymous Coward on Wednesday July 29 2015, @12:50AM
Well that's it. The Internet is finished. Marketing has taken control of everything and no further work will be done. Ever.
(Score: 3, Insightful) by Runaway1956 on Wednesday July 29 2015, @01:45AM
You think that's bad - I work with/for a guy who is all about appearances. "It doesn't look good." is one of his most common statements. When something works, you use it, and to hell with appearances.
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 29 2015, @01:49AM
When something is made to persuade idiots to give you money, then it doesn't work if it doesn't look good.
(Score: 2) by Nerdfest on Wednesday July 29 2015, @01:56AM
A lot of the names of these flaws have been created my a Microsoft funded organization, although I don't think this one is. "Heartbleed", "ShellShock", and a couple of others (all Linux based) were allegedly their creations.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:29PM
Please elaborate on your accusation instead of just accusing
(Score: 3, Funny) by VortexCortex on Wednesday July 29 2015, @03:30AM
The Internet is finished. Marketing has taken control of everything and no further work will be done. Ever.
I shall call this state of affairs: The Final Dissolution
(Score: 3, Informative) by Anonymous Coward on Wednesday July 29 2015, @04:10AM
This is not a cutsey name. This is the engineering name. DDR is organized into rows and columns. The attack litterally hammers on one row of memory to force bit flips in an adjacent row.
(Score: 2) by arslan on Thursday July 30 2015, @02:39AM
What's wrong with it? This is marketing working for good. The cutesy names makes propagation of the topic easy, and propagation of the topic means better awareness. I've had folks from non-technical background asking about the heartbleed buzzword because they heard it mentioned somehow, somewhere.
I say keep at it. The best thing for security is awareness.
(Score: 2, Informative) by Anonymous Coward on Wednesday July 29 2015, @01:16AM
Just don't allow user processes to trigger their own clflushes.
Don't execute arbitrary code.
Compile apps for P4 arches, or with clflush optimized out.
This bug was only a problem because Intel in its infinite malice (incompetence? Depends on who you ask) pushed this into the Pentium 4s way back when despite people indicating this was a possibility.
Turns out they were right. Nothing to see here.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 29 2015, @01:21AM
*less than p4*
Dumb html filtering. Plain Old Text mode should pre tag its contents.
(Score: 1) by ese002 on Wednesday July 29 2015, @01:29AM
This is a hardware bug. I don't agree that the problem is user code cache flushes. That just makes it exploitable. Even without deliberate cache flushes, crosstalk can cause random memory corruption. If software doing allowed operations can cause hardware to fail, even if it is improbable, then that is a serious hardware bug and the machine becomes unusable for any tasks where correct computation is actually important.
(Score: 4, Interesting) by Runaway1956 on Wednesday July 29 2015, @01:37AM
I wonder if this exploit works on ECC memory.
I've built my rigs around Opteron processors for years now. And, those rigs are built with ECC memory. I kinda doubt that this exploit is going to get very far when there is a dedicated chip ensuring that data is not corrupted.
# inxi -m
Memory: Array-1 capacity: 32 GB (est) devices: 16 EC: Single-bit ECC
Device-1: DIMM0 size: 2 GB speed: 333 MHz type: DDR2
Device-2: DIMM1 size: 2 GB speed: 333 MHz type: DDR2
Device-3: DIMM2 size: 2 GB speed: 333 MHz type: DDR2
Device-4: DIMM3 size: 2 GB speed: 333 MHz type: DDR2
Device-5: DIMM4 size: 2 GB speed: 333 MHz type: DDR2
Device-6: DIMM5 size: 2 GB speed: 333 MHz type: DDR2
Device-7: DIMM6 size: No Module Installed type: N/A
Device-8: DIMM7 size: No Module Installed type: N/A
Device-9: DIMM8 size: 2 GB speed: 333 MHz type: DDR2
Device-10: DIMM9 size: 2 GB speed: 333 MHz type: DDR2
Device-11: DIMM10 size: 2 GB speed: 333 MHz type: DDR2
Device-12: DIMM11 size: 2 GB speed: 333 MHz type: DDR2
Device-13: DIMM12 size: 2 GB speed: 333 MHz type: DDR2
Device-14: DIMM13 size: 2 GB speed: 333 MHz type: DDR2
Device-15: DIMM14 size: No Module Installed type: N/A
Device-16: DIMM15 size: No Module Installed type: N/A
(Score: -1, Troll) by Anonymous Coward on Wednesday July 29 2015, @01:44AM
Sorry, I stopped reading at "my rigs" because you might as well just declare publicly that you are an asshole. If you use a word like "rigs" then you're either a trucker or an asshole, and you're an asshole, right?
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 29 2015, @01:48AM
Perhaps you're the asshole for complaining about a word choice.
(Score: -1, Troll) by Anonymous Coward on Wednesday July 29 2015, @01:51AM
Assholes are just the right size to fit my cock in.
(Score: 1, Troll) by aristarchus on Wednesday July 29 2015, @07:14AM
No, Runaway is a trucker. Admitted as much some time ago. And his posts match the stereotype. Of course, being a trucker does not reduce the odds of being an asshole, in fact, it increases it exponentially. Rubber duck is long dead, and Kris only stars in Black Vampire movies now. Silver bullets? Or silver-iodide-shine-in-the-dark bullets? Javascript based attacks. As Switch said, just before she died, "Not like this! Not like this!"
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:31PM
1st Gear
vrrmmm
2nd gear
Vrrrm
Kill some hooker
3rd gear
vrrmm
4th gear
vrrmmm
hit a pedestrian
5th gear
vrrm
6th gear
vrrm
Kill another hooker
TOP GEAR!!
(Score: 2) by albert on Wednesday July 29 2015, @03:40AM
Getting it to work is certainly harder, but not by a great deal. Even without the more advanced attack methods (directed results) you have only cut down the success probability by a very small factor.
ECC is worthwhile I think, but don't imagine you are safe.
(Score: 3, Insightful) by zeigerpuppy on Wednesday July 29 2015, @05:43AM
I doubt this attack would work at all against ECC,
A single bit flip is detected and more than that causes a RAM error,
It's very unlikely to get multiple flips that aren't detected.
(Score: 2) by opinionated_science on Wednesday July 29 2015, @01:40PM
inxi -m
Memory: Placeholder: Feature not yet developed
I get this. What am I missing?
(Score: 3, Informative) by Runaway1956 on Wednesday July 29 2015, @03:00PM
Maybe you're using an outdated version?
# inxi --version
inxi 2.2.26-00 (2015-07-06)
If your inxi is up to date, then you are possibly missing some dependency. Then again, it may be a glitch in your OS - I know that inxi couldn't get uptime for awhile after systemd was instituted. Now it works again, so that particular glitch has been addressed.
You might want to address any glitches on the forum - http://techpatterns.com/forums/index.php [techpatterns.com] The top two subforums are dedicated to the inxi-related scripts.
(Score: 2) by opinionated_science on Wednesday July 29 2015, @04:22PM
thanks! I grabbed the latest version from svn, though the debian version is a bit old.
Works fine for me now. Very cool tool.
(Score: 2) by q.kontinuum on Wednesday July 29 2015, @05:12AM
This bug defeats the hardware-backed security concepts of the PC, thus also defeating the the operating system security measures depending on the hardware. It also defeats the sandbox-security-model of the javascript interpreter. Your recommendations would even render an MS DOS computer secure, but also pretty unusable. If you consider this "mitigatable", you could also propose to stop using computers altogether.
I do use NoScript for my private purposes already, but that is only supposed to protect the data of the same user. Protection of other users data or from other users attack on the same system is the task of the OS.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2, Insightful) by chrysosphinx on Wednesday July 29 2015, @06:45AM
Don't execute arbitrary code.
Your advise is worthless since it blindly ignores ancient fundamental truth: Data is Code and Code is Data.
The real problem is: hardware which cannot be trusted.
(Score: 1) by anubi on Wednesday July 29 2015, @08:22AM
I beg to differ with you about data and code.
When I open a text file, I have no intention of executing it. I just want to display the data on the screen as its ASCII equivalent. The furthest stretch of the imagination is to consider a line feed and carriage return as cursor placement instructions and the end of file sentinel stopping the display.
The first malware I encountered was known at the time as an "ANSI bomb". This was the result of mixing code and data. It was shown to me right then and there that mixing executables in along with the data was a terrible idea.
You do not know just how bad I was hoping the Linux guys would come up with a HTML equivalent of a text editor. Safely read anything. HTML tags would direct streams of data to the proper interpreter... and have it simple. Standard font and only standard multimedia files for images, audio, and video - using thoroughly understood codecs.
Sure, the thing may be useless at first, but if people adopted it just so they did not have to constantly virus-scan their machine, businesses would be forced to comply to it or risk getting the following message presented to their customer....
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:33PM
But data is code and code is data; all it needs is a chmod +x
(Score: 1, Informative) by Anonymous Coward on Wednesday July 29 2015, @01:29AM
Learn it, love it, use it.
(Score: -1, Troll) by Anonymous Coward on Wednesday July 29 2015, @01:40AM
1. Adblock
2. Bitcoin
3. Basic income
4. Manna
5. Don't own a TV
6. Vote Libertarian
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @02:23AM
If you have such disdain, why come to this site?
(Score: 1, Touché) by Anonymous Coward on Wednesday July 29 2015, @08:58AM
This certainly also helps in reducing the probability of getting hacked, but if you already have NoScript, that's sufficient (however in case you accidentally enabled the wrong scripts, Adblock is certainly a second line of defense).
Doesn't help at all against this attack.
Helps even less against this attack.
Given that the story is published on a web site, which might get hacked and loaded with the exploit, reading the story actually increases the attack probability.
Unless you were referring to the biblical food, then it certainly has no effect on your attack surface.
Not owning a smart TV of course means that you don't have to fear your TV to be hacked. But the same can be achieved using a dumb TV.
I'm pretty sure that will not help against those attacks.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @01:47AM
we hates it forever
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @01:57AM
I write server-side JavaScript all the damn time. Of course I don't include Rowhammer.js in my scripts, why the hell would I do that.
(Score: 2, Interesting) by anubi on Wednesday July 29 2015, @06:25AM
Unfortunately for the rest of us, a lot of business sites insist on JS being enabled.
Like you say, you would not do such a thing. Other people may. Neither you nor I can stop them. But we can ignore them.
Some of us do.
I started using NoScript after I was repeatedly nailed with malware.
From what I can tell, a lot of businesses are not aware of the problems malware causes the rest of us.
I believe the problem is the person with the authority to hire and instruct webmasters does not personally assume the responsibility of maintaining his own machine. He makes enough money he simply has someone else deal with the problem. So, he remains quite ignorant of the state of malware on the web.
This means the rest of us have to assume the risk to visit his site.
I feel as uneasy visiting their site as I do eating food served to me in a dirty plate.
If its not a business I am intent on engaging, usually the first admonition to enable javascript on my machine is sufficient to cause me to abandon their page.
A lot of businesses do not need customers that bad. So what if a few of us have got digital indigestion and do not like to ingest webpages containing mechanisms commonly used to inject malware. Probably not the kind of customer the business wants anyway. Business likes obedient customers. A lot of us have shown disobedience by not allowing their scripts to run willy nilly in our machine.
The web page is often a business' first impression to a customer. How many malware-aware customers simply click away from his site just as people would abandon a restaurant serving food in dirty dishes?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Monday August 03 2015, @09:13AM
I completely agree. Give me HTML & CSS that my browser can display. You can keep the JS, I don't want (or need) it.
...the person with the authority to hire and instruct webmasters does not personally assume the responsibility of maintaining his own machine. He makes enough money he simply has someone else deal with the problem.
However the issue is not whether or not this person notices any personal annoyance, they also run the risk of losing their data, etc. Additionally (if/when they get infected) they will be responsible for propagating whatever malware they've picked up onto their local network or even around the internet.
The issue is javascript is a scourge to be eliminated. Want your site to run fancy-schmancy code? Run it on your server, don't force me to open holes on my system you could fly a galaxy cruiser through.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:35AM
I tested my ram, its safe. I expected a java-script version of this attack, and here it is. Now how to I find out of my phone is vulnerable to something similar?
(Score: 1, Interesting) by Anonymous Coward on Wednesday July 29 2015, @03:46AM
This older version used a gooseneck lamp.
https://www.cs.princeton.edu/~appel/papers/memerr.pdf [princeton.edu]
(Score: 1, Informative) by Anonymous Coward on Wednesday July 29 2015, @04:07AM
Google has also demonstrated working attacks against Rowhammer.
http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [blogspot.com]
Intel memory controllers produced from 2013 onward include hardware logic to prevent rowhammer from being able to succesfully flip bits. But there are tons of systems in the wild that are vulnerable to rowhammer, so these attacks are pretty scary. (Fortunately all of my memory controllers are not vulnerable to Rowhammer)
(Score: 2) by darkfeline on Wednesday July 29 2015, @04:15AM
This is only a problem if you automatically execute any code sent to your machine. You don't do that, right? If you do, have I got an EXE file to send to you.
(No, you don't need Javascript to render formatted plain text such as HTML, just like you don't need an interactive app to display a book.)
Join the SDF Public Access UNIX System today!
(Score: 1) by cfalcon on Wednesday July 29 2015, @05:06AM
A lot of content is gated behind javascript, and it's very hard to get around it appropriately, especially on mobile. I despise javascript so much it's actually hilarious, and I constantly wonder why browsers obey shitty commands like "hide this user control", "pop up this thing", etc.
I skip out on a lot of it when that happens.
Javascript isn't supposed to be code execution. Today it very much is. That's ludicrous.
Anyway, this whole thing sounds sensationalized. The proof of concept worked on some specific laptop, I'm to expect that this javascript will work on a tower with plenty of power and such? Rowhammer is fascinating, but I doubt that it's the same kind of vulnerability as we see elsewhere.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @09:15AM
When I encounter content gated behind JavaScript, my answer most often is simply to not read that content. Probably I don't miss anything important that way.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:36PM
THIEF... How dare you withhold your eyeballs from our adver^H^H^H^Hcontent...
(Score: 2) by q.kontinuum on Wednesday July 29 2015, @05:19AM
Actually, the operating system should allow me to do exactly that, and guarantee that only the user-account running the executable is at risk. That is the very basic concept of any multi-user operating system. (BTW: When you want to send me the binary, make sure it is wine-compatible...)
This is only a minor point compared to the previous one, but there are many web-based services requiring JavaScript, and many workplaces depending on those web-based services. I'm not 100% sure and not willing to go through all these services just to try, but IIRC, I had to enable JavaScript to use Gerrit, Jenkins, JIRA, Confluence, Webmail and many other services essential for my daily work. This might be mitigated by switching to other services, but for now, this is still a very serious problem.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @09:05AM
Why is webmail essential to your daily work? What's wrong with SMTP/IMAP and a dedicated mail application? I consider webmail a crutch for situations where no proper mail application is available.
(Score: 2) by q.kontinuum on Wednesday July 29 2015, @10:55AM
Because the webmail I have to use is outlook.com, with calendar etc. I prefer to use Linux instead of Windows, and didn't yet find a good, free outlook-alternative. I could use Windows as well, but I don't like it, and in regards of security I feel it would kind of defeat the purpose...
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @03:38PM
Really, you failed to find Thunderbird? You also failed to find the Lightning and Exchange EWS add ons for Thunderbird?
My goodness you must suck at your job
(Score: 2) by q.kontinuum on Wednesday July 29 2015, @04:21PM
No, I used it temporarily. Only the plugins didn't work as expected, Thunderbird kept eating 100%CPU and kept crashing once twice a day.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1, Insightful) by Anonymous Coward on Wednesday July 29 2015, @04:31PM
The problem with javascript is the laziness of developers in designing sites that require it to provide basic services to the site visitor. I browse SN all the time with JavaScript disabled, and the site functions.
Heck, even Amazon is somewhat functional with JavaScript disabled.
For most web developers, everything is a nail and JavaScript is the hammer.
It is poor design that an article or image link to one's site does not render the article or image unless JavaScript is enabled.
Design and implementation should have focus on what can be achieved with plain HTML and CSS, with JavaScript only done to enhance and optimize the experience. This approach actually tends to make the site easier to maintain due to reduced complexity of lots of JavaScript. I.e. What may take more time in the design phase of providing a non-JavaScript-enabled functional site, is saved in the maintenance costs of maintaining a large JavaScript code base, which still requires browser-specifc handling despite the state of current standards. There is also the benefit of making the site more accesible to the myriad of devices and user types.
(Score: 2, Interesting) by Anonymous Coward on Wednesday July 29 2015, @10:08AM
I get full site functionality here with NO javascript enabled, which gives me warm fuzzies.
If I go anywhere else, I'm hitting "Temporarily allow..." 4-5 times (NoScript) per page, which reminds me of what a javascript cesspool the web has become.
I suspect I'm not alone. Let's keep that in mind as we grow/evolve the site.
(Score: 1, Disagree) by Anonymous Coward on Wednesday July 29 2015, @11:11AM
Indeed, Javascript should be used to *enhance* the user experience, not *provide* it.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @10:14AM
maybe this could be made into a "auto-more" exploit for stock trading websites?