When Rowhammer attack the attacker Klöppelt as long rum to a storage area, flick to adjacent bits. So you can paralyze systems and even give admin rights. Incredibly, it works well with JavaScript on the Internet
In March, the publication of a number of Google’s researchers hit big waves. In DRAM chips can be forcibly bits freak and attackers so the to crash the victim’s computer or even gain admin privileges. Now researchers at the Technical University of Graz and the company Technicolor have managed to transfer the so-called Rowhammer attack on JavaScript. Thus one can mistreat the memory from afar when the victim visits a malicious web site. The risk of a targeted attack in everyday life, although still limited when it comes to the attacker but to falsify data in the systems or to bring it to crash, so the floodgates open and not about only for x86 but in principle also for ARM and other architectures.
JavaScript is awesome
The Google researchers had used in their version of the attack, the Chrome feature Native Client (NaCl) to the command of CLFLUSH trigger x86 instruction set. So they hammered for so long around on a certain storage area until a critical bit in an adjacent cell – which they actually do not have access – freaked. To prevent this, Google unceremoniously severed the CLFLUSH support in NaCl. In addition, the Linux developers strengthened the safeguards against memory manipulation in its kernel.
Whether these measures prevent the attack, was questioned shortly after the discovery of Rowhammer, the Google developers gave way to lternative. Thanks Rowhammer.js this question is now irrelevant. Because the JavaScript-attack goes beyond such restrictions completely. Researchers use clever timing and knowledge of be attacked CPU infrastructure to directly access a specific memory area without the hits come from the cache. Your Adaptive Cache Eviction Strategy guess a little, which processor and which are fitted for storage in target system -. A sophisticated access sequence is for most Haswell-, Ivy Bridge and, although work a bit worse for Sandy Bridge systems.
practical use limited
From the Paper the researchers can conclude that they have tested on a Linux system, the transparency hugepages provides – so a relatively uses modern kernel, because Javascript in Firefox 39 receives 2-Mbyte large pages delivered, the authors exploit what their program.
On Windows systems the standard should rarely be the case, because without prior release of “locking area in memory” by administrator intervention is not possible. In addition, must according to the authors, at least for Haswell processors out the refresh rate of the memory in the BIOS can be reduced so that it is more prone to memory errors. All this reduced the number of vulnerable systems and causes the Rowhammer.js attack for targeted attacks is less practical than at first glance be seen. Can protect
Certainly one imagines flippenden bits but probably only in the used RAM with error correction (ECC memory). The is built mainly in server systems. Anyone who wants to experiment yourself with the JavaScript version of Rowhammer, should do that in any case on a test system or with a live Linux. Can rumzuhämmern indiscriminately in memory namely some in the system break anything
More backgrounds and details Rowhammer attack provides Andreas Stiller on ct.de:.
(fab)
No comments:
Post a Comment