Security news that informs and inspires

Rowhammer, Android and the Future of Hardware Attacks

Researchers have developed a new version of a hardware-based attack that can compromise an Android phone through the browser using a technique that can flip bits in memory by causing small electrical charge leaks in a chip. The attack is an innovative twist on a known method, but it likely isn’t an imminent threat for most Android owners.

The technique itself, known as Rowhammer, is several years old and researchers have demonstrated its effectiveness against Windows and Linux systems in the past. The new work done by a team at Vrije Universiteit in the Netherlands shows that an attacker can use the technique to exploit an Android-based phone through JavaScript in the Firefox browser. The attack relies on the use of the graphics processing unit (GPU) in a target device, using the cache on the chip to make the attack faster and more reliable.

“We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to ‘accelerate’ microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript,” the researchers say in their paper, published Thursday.

“These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to- end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives.”

The researchers said that most typical users likely won’t see this kind of attack targeting them anytime soon. There is a long list of other attack vectors that are simpler to execute and take far less effort.

“For general users I believe for now this is not a real threat. The likelihood of an attacker exploiting such an advanced exploitation vector is relatively low as of now. It all boils down to simple cost function for the attacker. There's no point to waste time in developing such a complex exploit when you can use lower hanging fruits,” said Pietro Frigo, one of the authors of the paper.

“However, things are changing rapidly. Until last year everyone believed that a remote Rowhammer attack would have taken hours. Now we've proven that it is possible to do it in few minutes (best case scenario under 1 min) on mobile platforms where it was considered completely unfeasible. So this should be seen as the proof of concept that it actually is.”

“As of now there's no software-based mitigation that completely stops the attack."

Rowhammer attacks are highly technical and reliant on the ability to access certain areas of memory over and over again. By doing so, an attacker, under certain circumstances, can cause small electrical charges to leak from the memory locations around a target location, which can in turn cause that bit to change its state. The attack that the team at Vrije University developed allows them to use Rowhammer to exploit a remote user who visits a malicious web site in Firefox on an Android phone. The GLitch attack, as the researchers call it, uses the WebGL library to help build what they call “timing primitives” to get past the security defenses on the phone’s chips, and then determine which specific memory locations they want to target.

“We showed how the GPU provides an attacker with explicit timing sources directly and aids the crafting of new timers—allowing attackers to bypass state-of-the-art defenses from both industry and academia. As long as the JavaScript context can synchronously interact with external contexts such as WebWorkers, WebGL and potentially others (e.g., audio), a diligent attacker can craft new timing sources. Even though disabling some of these interfaces (e.g., SharedArrayBuffer) allows to temporarily mitigate the threat of advanced cache attacks, our homebrewed timers are a demonstration of how tackling the threat posed by timing side channels by besieging timing sources does not represent a viable and long term solution to the issue,” the paper says.

In terms of defenses, Frigo said fixing the Rowhammer problem in general and the attack his team developed requires hardware-based mitigations. Both Mozilla, which makes Firefox, and Google, which maintains the Android code base, have made some changes to mitigate the new exploit, but they don’t completely prevent the GLitch attack.

“As of now there's no software-based mitigation that completely stops the attack. Both Firefox and Chrome deployed mitigations against the timing side-channel attack first step of our attack. These consisted in disabling a specific timer extension (EXT_DISJOINT_TIMER_QUERY) and partially fixing the WebGL specification to make it harder to build high precision timers,” Frigo said.

“However, for now no step has been taken to make it impossible to trigger bit flips from the GPU. We're still communicating with Google about possible solutions. Bottom line, Rowhammer should be fixed in hardware. And while there are some proposed mitigations in hardware (TRR specifically for rowhammer and ECC more in general for memory errors) their effectiveness still need to be proved.”