GLitch

A team of academics from the Vrije University in Amsterdam has developed a new hacking technique that uses embedded graphics processing units (GPUs) and support for WebGL to carry out a Rowhammer attack.

The technique is novel in the way that it's the first Rowhammer attack to leverage GPUs to attack the computer's memory.

Past Rowhammer attacks

A Rowhammer is when an attacker bombards RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge, which inherently modifies the stored data bits from 1 to 0 and vice-versa, altering the information saved in a computer's memory.

These type of attack came to light in 2014 and was possible because in their obsession to create larger RAM cards, vendors crammed memory cells too close to each other, allowing for the "bit flip" effect.

Ever since the first Rowhammer research paper, academics have continued to publish on the topic. Researchers discovered that:

⊷ Rowhammer attacks work against DDR3 and DDR4 memory cards
⊷ they can use carry out Rowhammer attacks via mundane JavaScript and not necessarily via specialized malware
⊷ they could take over Windows machines by attacking Edge with a Rowhammer attack
⊷ they could use Rowhammer to take over Linux-based virtual machines installed in cloud hosting providers
⊷ they could use a Rowhammer attack to root Android devices
⊷ they could bypass Rowhammer protections put in place after the disclosure of the first attacks

The GLitch attack

Today, the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) has found another way to execute a Rowhammer attack, and they say this one takes less time to perform compared to older techniques.

Codenamed GLitch, this technique is a combination of a side-channel attack and a Rowhammer attack, according to the CERT/CC team, who issued a vulnerability note today.

Academics used the side-channel to determine physical memory layout, and then they use the Rowhammer attack to flip bits and inject malicious commands into the RAM.

To perform the side-channel attack, academics leveraged browsers and their support for the WebGL standard.

"The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses," CERT/CC's Will Dormann and Trent Novelly explained.

"This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as Rowhammer," they said.

GPUs are better at Rowhammer attacks than CPUs

To perform the actual Rowhammer attack, this time around, experts used GPUs. The reasons they chose GPUs instead of CPUs to carry out their attack is because GPUs have simpler data caching systems, with simpler protections that are also easier to skirt.

GLitch works only on platforms where CPUs and GPUs share the same memory, usually smaller devices such as smartphones and tablets.

For their research paper, the VUSec team chose to run a GLitch attack on Chrome and Firefox running on an Android device.

A GLitch attack takes only two minutes

The GLitch technique was not only successful but was also faster than previous Rowhammer attacks, taking just two minutes to compromise the device, a time period that is considered acceptable for a modern-day hack, as this is what it would usually take a user to read an article on a news site.

Furthermore, GLitch attacks are also easy to carry out, as they only require the loading of malicious JavaScript code on a user's device, JavaScript code that can easily be hidden on a normal web page without a user ever noticing.

Researchers said they only tested their proof-of-concept code on a Google Nexus 5 smartphone, but the exploit code should work on all devices that use a Snapdragon 800 and 801 system-on-chip (SoC). Researchers plan to release more PoCs in the future.

The good news is that according to CERT/CC, "Google Chrome and Mozilla Firefox have released updates which disable high precision timers in the browser." These updates appear to be the same mitigations that both Google and Mozilla have rolled out to protect against exploitation of the Meltdown and Spectre flaws.

More details on the GLitch technique are available in the research paper "Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU."

Related Articles:

Abandoned Tweet Counter Hijacked With Malicious Script

Google’s Android Apps Are No Longer Free for European Smartphone Makers

GPU-Z Can Now Detect Fake NVIDIA Graphics Cards

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User