en

The VICE Channels

    DRAM circuit. Image: Dick Thomas Johnson/Flickr

    Rowhammer.js Is the Most Ingenious Hack I've Ever Seen

    Written by

    Alix Jean-Pharuns

    Editorial Intern

    Software exploits have become routine. People’s private data gets stolen, it makes the news for a bit, a company releases a software patch that just barely fixes the problem, rinse, repeat. But every so often one comes along that’s so damn cool, you have to sit and marvel at how someone pulled it off.

    Late last week three security researchers released a paper describing a proof of concept exploit they developed. They’ve called it Rowhammer.js, and it’s a piece of JavaScript code that can escape a web browser’s security sandbox and gain access to the physical memory of your computer.

    The bad news is that if your computer is vulnerable, it’s a hardware issue, and there’s very little you personally can do about it. No software patches are coming to the rescue any time soon. The good news is that this hack is so complicated to pull off, you’re probably safe just from its level of difficulty alone.

    So what exactly is Rowhammer.js? While it still needs to be tested further, the researchers claimed it is the “first remote software-induced hardware-fault attack” in existence, written entirely in JavaScript. In other words, it’s scalable, powerful, takes more than a little luck to pull off, and if you understand how it works, it’s the most clever thing you’ll see all week.

    To understand Rowhammer.js, you have to understand row hammer, the computer phenomenon it takes advantage of. A row hammer exploit is an unfortunate side effect of Dynamic Random Access Memory (DRAM). DRAM is a type of memory that a computer’s CPU uses to store data that it needs to access often and quickly. DRAM systems save each bit of data on individual capacitors which are electrically charged. The binary logic that is the heart of all computing comes from this charge: no charge on a bit reads as 0, a charge past a certain threshold reads as 1.

    It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after

    The great thing about DRAM is we can pack millions of these capacitors on the surface of a chip, in a grid pattern of rows and columns. In most cases the more capacitors a chip has, the faster your CPU can processes operations, but the density of these capacitors poses a problem. The electrical charge of a single capacitor can leak out and affect the charge of its neighbors, changing the binary value of nearby capacitors and and corrupting a computer’s memory in the process. To solve this, a dedicated tool called a memory controller refreshes the charge on the capacitors thousands of times a second to ensure bit values stay correct.

    A row hammer is when a program floods a particular row of bits with data, over and over again. This interrupts a memory controller’s refresh process, causing electrical charges to leak to neighboring rows of bits on purpose, manipulating data that an executable program wouldn’t normally have access to.

    Earlier this year Google security researchers proved it was possible to exploit this corruption to gain access to all of a computer’s physical memory—reading, and maybe rewriting, important system files at will. That’s scary, but also incredibly cool. It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations force open the door you were after.

    However, Google’s exploit relied on code that had to run locally, so up until now a computer would have to have to been compromised already for a row hammer exploit to work. Rowhammer.js changes all of that. Now the entire exploit, from finding the right bit locations, hammering them repeatedly, and corrupting their neighbors, can be done within a web browser, using the scripting language that 89.9% of websites use.

    In other words, an attacker could potentially incorporate this code into the JavaScript code of a website, and every time your browser visited that web page and ran its JavaScript plug-ins, Rowhammer.js does its thing. Coupled with this exploit, a maliciously crafted website could have unfettered access to parts of your computer’s physical memory, an act that modern browsers like Chrome do their best to make sure is impossible. Ingenious.

    Most malware and exploits take advantage of a lack of foresight. Programmers can be especially bad at thinking long-term, and hackers are pretty good at throwing types of data at software that it wasn’t expecting, causing all kinds of trouble. But Rowhammer.js is different. It takes advantage of something we all want: speed. DRAM is packed so densely because we want faster chips, faster processors, faster computers. That density is a feature, not a bug. It means the electrical charge between capacitors needs to be managed very carefully if we don’t want bits of data being corrupted by other bits nearby.

    Row hammer exploits could be negated in two easy ways: with firmware updates that cause DRAM to be refreshed more often, or by deliberately slowing down the JavaScript on web pages so that its code can’t hammer at data bits fast enough for Rowhammer.js to work. As the study notes, both “countermeasures are known but seem unlikely to be practical.”

    This hack is such a perfect blend of intricate math, computer architecture knowledge, and sheer computing power that it’s probably unfeasible for anyone but a nation state actor. Knowing exactly which rows and columns of bits correspond to which locations in memory, and then causing them to flip their charge, takes a level of precision that makes it off limits for most cyber criminals. Ironically, the hack is too good. You’re safe from an almost unstoppable attack because it’s too difficult for most people to pull off.

    As an academic exercise Rowhammer.js is really instructive, and should inform the way we construct memory chips in the future. If it ever becomes feasible in the wild though, it’ll be terrifying. Beautiful, but terrifying.