Security News > 2021 > April > Is it still possible to run malware in a browser using JavaScript and Rowhammer? Yes, yes it is (slowly)

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH. Rowhammer refers to a technique that computer security researchers began to explore around 2014: "Hammering" RAM chips with a series of rapid write operations.

Initially, Rowhammer attacks had to be conducted locally, though by 2016 [PDF], the technique had been refined to work remotely using JavaScript in, say, a web browser.

Memory specifications introduced in 2014 added optional support for a mitigation called Target Row Refresh, a DRAM command available to memory controllers to refresh memory cell rows adjacent to particularly active areas as a way to prevent corruption.

On Tuesday, some of those same researchers and some new ones - Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi - unveiled SMASH, a web-based attack on Mozilla's Firefox browser that overcomes TRR and several challenges associated with executing Rowhammer via JavaScript.

While working to overcome these hurdles they found that rather than blindly generating as many memory access patterns as possible over the shortest period of time, they could achieve better results by scheduling the sequence of cache hits and misses - synchronizing memory requests with DRAM refresh commands - to avoid TRR. "Our work confirms that the Rowhammer bug continues to threaten web users," the researchers say.

"Worse still, our insights on synchronization show that the attacker has more control than previously thought, and will make it even harder to build the proper Rowhammer defense we need as long as the bug itself persists."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/15/rowhammer_ddr4/