SMASH: New Javascript Exploit for Rowhammer Attack on DDR4 RAM

SMASH allows attacks on modern DDR4 modules bypassing the security measures taken against Rowhammer over the past seven years.

A group of scientists from the Free University of Amsterdam and the Swiss Higher Technical School of Zurich presented a new version of the Rowhammer attack.

The method, dubbed Synchronized MAny-Sided Hammering (SMASH), allows JavaScript attacks to be carried out on modern DDR4 RAM modules, bypassing all the security measures adopted by electronics manufacturers against the Rowhammer attack in recent years. seven years.

According to scientists, despite the TRR (Target Row Refresh) technology implemented in DRAM to prevent distortion of rows of cells during the Rowhammer attack, some modern DDR4 modules are still vulnerable to multilateral bit manipulation (the so-called bit flipping) underlying the attack. Rowhammer.

“SMASH leverages high-level knowledge of cache replacement policies to create optimal access patterns for a preemptive multi-lateral Rowhammer attack. In order to bypass TRR in DRAM, SMASH carefully plans cache hits and misses in order to successfully trigger synchronized multi-way bit flipping, ”the experts said.

By synchronizing memory requests with DRAM update commands, the researchers developed an end-to-end JavaScript exploit that could completely compromise the Firefox browser in an average of 15 minutes.

Rowhammer is the generic name for a class of hardware vulnerabilities in DDR4 systems. RAM modules store data in cells, each of which consists of a capacitor and a transistor. These memory cells are located on a silicon chip in the form of a matrix. However, due to the natural discharge rate of capacitors, they tend to lose their state over time and therefore requires periodic reading and rewriting of each cell in order to restore the capacitor's charge to its original level. In addition, the higher density of DRAM ICs has allowed for faster electromagnetic interactions between memory cells and increased the likelihood of data loss.

In 2014, researchers found that by repeatedly performing fast read / write operations on a row of cells, electrical noise could be generated that altered data in adjacent rows. Since then, a number of initial attack variants have been developed: ECCploit, JackHammer, Rowhammer.js, Throwhammer , RAMBleed , Drammer , Nethammer , etc.