Drive-by Rowhammer Attack Uses GPU To Compromise An Android Phone

Over recent times, there was a steady evolution in Rowhammer, the once largely theoretical attack that exploits physical defects in memory chips to tamper while using security with the devices they operated with. On Thursday, researchers are unveiling by far the most practical demonstration yet of Rowhammer's power and reach: an exploit that remotely executes malicious code on Android phones by harnessing their graphical processors. Dubbed GLitch, the exploit could be the first to demonstrate that GPUs can flip individual bits held in dynamic random-access memory. The advance gives attackers greater flexibility over previous techniques that relied solely on CPUs.

It's also the very first Rowhammer attack using standard JavaScript to compromise a smartphone, meaning it could be executed when users will only visit a malicious website. Another key innovation: an average of, GLitch takes under two minutes to compromise a tool, a tremendous improvement over previous Rowhammer exploits. GLitch gets its name and idiosyncratic capitalization as it uses the WebGL programming interface for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips.

The term Rowhammer was coined as the exploit class accesses—or "hammers"—specific memory blocks referred to as rows inside of a chip many, many times per second. Attackers apply it to alter crucial bits of data by changing zeros to ones and the opposite way round. The physical weakness would be the result of ever smaller dimensions in the silicon.

With less space between each DRAM cell, it is increasingly tough to prevent one cell from interacting electrically having its neighbors. Like all on the Rowhammer attacks who have preceded it, the GLitch proof-of-concept exploit isn't mature enough to pose a quick threat to many end users. Onur Mutlu, a researcher who cowrote the 2014 paper that introduced Rowhammer like a vulnerability. As a result, I think its implications are extremely significant—GPUs be employed in all interesting mobile systems, and when the DRAM is liable to Rowhammer, it's possible to exploit that GPU to consider over the system.

The idea that the attack is end-to-end and doesn't require the user to put in a new app to become performed causes it to become even more significant because the barrier to fight is low. So, I think this paper presents an important and very clever type of how the Rowhammer vulnerability can bring about another attack.

The breakthrough in the GLitch principals are its discovery of a whole new way to take advantage of the Rowhammer vulnerability. To hammer rows, exploits must repeatedly access specific chunks of data saved in DRAM in rapid succession. This hammering could be hampered with the data caches that sit between CPUs plus the main memory chips, as the caches store recently accessed data.

A 2015 exploit that used JavaScript to use Rowhammer on computers overcame this hurdle simply by using a technique called cache eviction to eliminate data from your caches. The process ensured that this targeted data was accessed in DRAM instead of in the cache. In 2016, a new team of researchers devised a strategy to root Android phones using a locally stored app, called Drammer, that exploited Rowhammer.

But the group was struggling to implement an eviction-based Rowhammer about the mobile OS. The eviction, they concluded, appeared for being too slow to trigger bit flips on Android phones. The GPUs built-into most smartphones, by comparison, usually employ smaller caches. What's more, the GLitch researchers found, mobile GPU caches have deterministic behaviors that contrast sharply using the random policies implemented in mobile CPUs. These GPU features make cache eviction efficient and fast enough to trigger bit flips in entire classes of devices once considered against the rules.

Unlike CPU caches that happen to be large and optimize for just a general-purpose workload by implementing either random or nondeterministic replacement policies, we demonstrate that GPU caches are small, and follow a deterministic replacement policy. This allows an assailant to reason about cache hits or misses with great precision, paving the best way for fast and reliable side-channel attacks with little noise.

Rowhammer attacks make use of side channels to map out large chunks of memory stored inside vulnerable chips. To surgically hammer the rows storing targeted bits, Rowhammer attacks carefully appraise the time certain DRAM accesses take. The timing side channels let the attacks to deduce info on the bits' location within the module. The speed and clarity of GPU-based side channels are factor to the success of GLitch. The researchers gleaned GPUs' superior Rowhammer capabilities employing a novel way to reverse engineer the Snapdragon 800/801 system using a chip, which integrates a CPU and GPU to the same little bit of silicon.

Share this post