Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

@article{Gruss2016RowhammerjsAR,
  title={Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript},
  author={Daniel Gruss and Cl{\'e}mentine Maurice and Stefan Mangard},
  journal={ArXiv},
  year={2016},
  volume={abs/1507.06955}
}
A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today's memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation… Expand
CAn't Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks
TLDR
Detailed evaluation shows that both mitigation schemes can stop available real- world rowhammer attacks, impose virtually no run-time overhead for common user and kernel benchmarks as well as commonly used applications, and do not affect the stability of the overall system. Expand
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
TLDR
A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks. Expand
Triggering Rowhammer Hardware Faults on ARM: A Revisit
TLDR
A thorough study of the unprivileged ARMv8-A cache maintenance instructions is provided and two previously overlooked reasons to support their use in rowhammer attacks are given and a previously undiscovered instruction is presented that can be exploited to trigger the roWhammer bug on many ARM-based devices. Expand
RAMBleed: Reading Bits in Memory Without Accessing Them
TLDR
It is demonstrated that Rowhammer is a threat to not only integrity, but to confidentiality as well, by employing Rowhammer as a read side channel, and the first security implication of successfully-corrected bit flips, which were previously considered benign. Expand
NoJITsu: Locking Down JavaScript Engines
TLDR
A novel defense, dubbed NOJITSU, is designed to protect complex, real-world scripting engines from data- only attacks against interpreted code and successfully thwarts codereuse as well as data-only attacks against any part of the scripting engine while offering a modest run-time overhead of only 5%. Expand
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
TLDR
It is shown that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses, and the first Rowhammer-based Android root exploit is presented, relying on no software vulnerability, and requiring no user permissions. Expand
A new approach for rowhammer attacks
  • Rui Qiao, Mark Seaborn
  • Computer Science
  • 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
  • 2016
TLDR
This paper proposes a new approach for rowhammer that is based on x86 non-temporal instructions and is much less constrained for a more challenging task: remote roWhammer attacks, i.e., triggering ro Whammer with existing, benign code. Expand
RowHammer and Beyond
We will discuss the RowHammer problem in DRAM, which is a prime (and likely the first) example of how a circuit-level failure mechanism in Dynamic Random Access Memory (DRAM) can cause a practicalExpand
RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks
TLDR
This work presents a methodology to recover the replacement policy and apply it to the last five generations of Intel processors, and shows empirically that the performance of RELOAD+REFRESH on cryptographic implementations is comparable to that of other widely used cache attacks, while its detectability becomes extremely difficult, due to the negligible effect on the victims cache access pattern. Expand
RowHammer: A Retrospective
  • O. Mutlu, Jeremie S. Kim
  • Computer Science
  • IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
  • 2020
TLDR
A principled approach to memory reliability and security research is described and advocated that can enable us to better anticipate and prevent vulnerabilities in DRAM and other types of memories, as the memory technologies scale to higher densities. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 88 REFERENCES
CAIN: Silently Breaking ASLR in the Cloud
TLDR
A proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection) defeats ASLR of a 64-bit Windows Server 2012 victim VM in less than 5 hours and it is shown that CAIN reliably defeats AsLR, regardless of the number of victim VMs or the system load. Expand
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
TLDR
A software-based defense, ANVIL, is developed, which thwarts all known rowhammer attacks on existing systems and is shown to be low-cost and robust, and experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhAMmer attacks. Expand
Flush+Flush: A Stealthier Last-Level Cache Attack
TLDR
The Flush+Flush attack has a performance close to state-of-the-art side channels in existing cache attack scenarios, while reducing cache misses significantly below the border of detectability, in the first work discussing the stealthiness of cache attacks both from the attacker and the defender perspective. Expand
The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications
TLDR
This attack, which is an extension to the last-level cache attacks of Liu et al., allows a remote adversary to recover information belonging to other processes, users, and even virtual machines running on the same physical host with the victim web browser. Expand
Practical Timing Side Channel Attacks against Kernel Space ASLR
TLDR
This paper shows that an adversary can implement a generic side channel attack against the memory management system to deduce information about the privileged address space layout and can successfully circumvent kernel space ASLR on current operating systems. Expand
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
TLDR
This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round. Expand
Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors
  • Yoongu Kim, Ross Daly, +6 authors O. Mutlu
  • Computer Science
  • 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA)
  • 2014
TLDR
This paper exposes the vulnerability of commodity DRAM chips to disturbance errors, and shows that it is possible to corrupt data in nearby addresses by reading from the same address in DRAM by activating the same row inDRAM. Expand
Practical Memory Deduplication Attacks in Sandboxed Javascript
TLDR
This work presents the first memory-disclosure attack in sandboxed Javascript which exploits page deduplication, and is not only able to determine which applications are running, but also specific user activities, for instance, whether the user has specific websites currently opened. Expand
Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches
TLDR
An automated attack on the T-table-based AES implementation of OpenSSL that is as efficient as state-of-the-art manual cache attacks and can reduce the entropy per character from log2(26) = 4.7 to 1.4 bits on Linux systems is performed. Expand
Flush+Flush: A Fast and Stealthy Cache Attack
TLDR
The Flush+Flush attack is developed, which runs in a higher frequency and thus is faster than any existing cache attack and is also stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. Expand
...
1
2
3
4
5
...