Security News > 2021 > April > Serious Security: Rowhammer is back, but now it’s called SMASH

Serious Security: Rowhammer is back, but now it’s called SMASH
2021-04-19 12:26

Well, it's back, and this time it's called SMASH. Rowhammering is a reliability problem that besets many computer memory chips, notably including the sort of RAM in your laptop or mobile phone.

Bluntly put: using a rowhammer attack, you can make modifications, albeit hapazardly, to memory that has nothing to do with you, just by reading repetitively from memory that's allocated to your program.

Reading data out of special internal storage called a cache, located physically on the CPU itself, is much faster than reading from RAM. In other words, reading the same memory address over and over doesn't automatically cause the RAM circuitry to be activated over and over again, because the cached values are used for the second and subsequent accesses instead. The second mitigating factor is that almost all computer RAM today is what's known as DRAM, where the D stands for dynamic.

As for exploiting the rowhammer issue in a browser, where you have to rely on code written in JavaScript and therefore have no direct control over allocating memory at all, you might think that it would be impossible.

Timing plays a part in rowhammer attacks not only because of the 64-millisecond "DRAM refresh clock" that is always ticking in the background, but also because timing memory accesess lets you differentiate cached memory access from uncached access, which leaks information about what data lives where in RAM, helping you to organise your data layout for the attack.

Linux THP means that when a program asks for memory, the operating system can choose to allocate it either in chunks of 4KB each or of 2MB. The SMASH attack relies on a 2MB JavaScript buffer allocated all in one "Huge" memory page, so that the attackers can be sure in advance that it will be assigned to one contiguous block of memory cells on the RAM chip itself, and will therefore span multiple adjacent DRAM rows.


News URL

https://nakedsecurity.sophos.com/2021/04/19/serious-security-rowhammer-is-back-but-now-its-called-smash/