SMASH

SMASH is a new JavaScript-based attack that gives the attacker an arbitrary read and write primitive in the browser. It does not rely on software vulnerabilities or bugs, but instead takes advantage of the much harder to mitigate Rowhammer bug in hardware to initiate the exploit chain.

However, exploiting the Rowhammer bug to trigger bit flips is not an easy task. Modern memory modules come equipped with a dedicated in-memory defense against Rowhammer, called Target Row Refresh (TRR). Although previous work has shown that TRR is vulnerable to more advanced access patterns than ordinary double-sided Rowhammer, constructing such patterns from inside high-level JavaScript is difficult.

SMASH demonstrates, however, that it is not impossible to build fast, Rowhammer-inducing, and TRR-evading access patterns through cache eviction, without relying on low-level flushing instructions such as CLFLUSH. In addition, our research yielded a new insight about TRR. We were able to synchronize memory requests with the refresh commands sent to DRAM by the memory controller, allowing for very fine-grained control of when and which addresses are exposed to TRR—and therefore also when and which addresses are not.

Our work confirms that the Rowhammer bug continues to threaten Web users. Worse still, our insights on synchronization show that the attacker has more control than previously thought, and will make it even harder to build the proper Rowhammer defense we need as long as the bug itself persists.

Please find below a quick demo of our ability to trigger bit flips on TRR-enabled DDR4, through JavaScript.

Show me the Code!

You can grab the code for SMASH at https://github.com/vusec/smash.

Demo

Papers

FAQs

What are the differences compared to previous Rowhammer attacks?
Rowhammer exploits in the browser are no news. Rowhammer.js, Dedup est Machina, and GLitch already show the possibility of exploiting the Rowhammer vulnerability from the browser.
So whatā€™s the news? As it turns out, modern DDR4 chips embed in-DRAM Rowhammer mitigations. . In fact, in TRRespass we show how well-known Rowhammer access patterns no longer generate bit flips and how more aggressor rows are now required to fool the in-DRAM Target Row Refresh (TRR) mitigations. In SMASH, we tackle these issues (which normally prevent you from exploiting Rowhammer in the browser) and show that it is still possible to trigger bit flips from JavaScript. In addition, we show one can weaponize these bit flips (akin to GLitch) to obtain a bug-less (at least in software) arbitrary r/w primitive in the latest version of the Firefox browser in less than 15 minutes. 

How can SMASH be mitigated? 
SMASH relies on THP for crafting self-evicting patterns and on pointer corruption for pivoting to a counterfeit object. Disabling THP or ensuring pointers integrity would stop the current version of the attack. However, while disabling THP would lead to performance loss, protecting integrity of pointers can be done in software or in hardware. However, these solutions only stop the current instance of SMASH. We believe that bit flips are still exploitable and new attack vectors may be discovered.

Am I in danger?
First off, you should check if your system is affected by the Rowhammer bug. Then, if the THP interface is enabled in your system, then there is a good probability that your system is exploitable from the browser.

Acknowledgements

We thank our shepherd Vasileios Kemerlis and the anonymous reviewers for their valuable feedback. This work was supported by the European Unionā€™s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, by the Netherlands Organisation for Scientific Research through grants NWO 639.021.753 VENI ā€œPantaRheiā€, and NWO 016.Veni.192.262. This paper reflects only the authorsā€™ view. The funding agencies are not responsible for any use that may be made of the information it contains.