A team of academics from the Vrije University in Amsterdam has developed a new hacking technique that uses embedded graphics processing units (GPUs) and support for WebGL to carry out a Rowhammer attack.
The technique is novel in the way that it's the first Rowhammer attack to leverage GPUs to attack the computer's memory.
A Rowhammer is when an attacker bombards RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge, which inherently modifies the stored data bits from 1 to 0 and vice-versa, altering the information saved in a computer's memory.
These type of attack came to light in 2014 and was possible because in their obsession to create larger RAM cards, vendors crammed memory cells too close to each other, allowing for the "bit flip" effect.
Ever since the first Rowhammer research paper, academics have continued to publish on the topic. Researchers discovered that:
Today, the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) has found another way to execute a Rowhammer attack, and they say this one takes less time to perform compared to older techniques.
Codenamed GLitch, this technique is a combination of a side-channel attack and a Rowhammer attack, according to the CERT/CC team, who issued a vulnerability note today.
Academics used the side-channel to determine physical memory layout, and then they use the Rowhammer attack to flip bits and inject malicious commands into the RAM.
To perform the side-channel attack, academics leveraged browsers and their support for the WebGL standard.
"The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses," CERT/CC's Will Dormann and Trent Novelly explained.
"This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions are used in a number of microarchitectural attacks, such as Rowhammer," they said.
To perform the actual Rowhammer attack, this time around, experts used GPUs. The reasons they chose GPUs instead of CPUs to carry out their attack is because GPUs have simpler data caching systems, with simpler protections that are also easier to skirt.
GLitch works only on platforms where CPUs and GPUs share the same memory, usually smaller devices such as smartphones and tablets.
For their research paper, the VUSec team chose to run a GLitch attack on Chrome and Firefox running on an Android device.
The GLitch technique was not only successful but was also faster than previous Rowhammer attacks, taking just two minutes to compromise the device, a time period that is considered acceptable for a modern-day hack, as this is what it would usually take a user to read an article on a news site.
Researchers said they only tested their proof-of-concept code on a Google Nexus 5 smartphone, but the exploit code should work on all devices that use a Snapdragon 800 and 801 system-on-chip (SoC). Researchers plan to release more PoCs in the future.
The good news is that according to CERT/CC, "Google Chrome and Mozilla Firefox have released updates which disable high precision timers in the browser." These updates appear to be the same mitigations that both Google and Mozilla have rolled out to protect against exploitation of the Meltdown and Spectre flaws.
More details on the GLitch technique are available in the research paper "Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU."