Rowhammer attacks, which were first discovered in 2014, continue to draw the attention of researchers and academics despite the mitigation measures put in place by chip manufacturers and industries.

Intro

  • Dubbed SMASH (Synchronized MAny-Sided Hammering), the attack is triggered by a new JavaScript exploit on modern DDR4 RAM chips.
  • This can enable attackers to arbitrarily read and write primitive in the browser.
  • The interesting aspect of the new variant is it does not rely on software vulnerabilities or bugs. Instead, it takes advantage of the mitigations implemented for the previous Rowhammer bug to initiate the exploit chain.

A Brief

  • RowHammer is an umbrella term for a class of exploits that leverage a fault in hardware design with DDR4 systems.
  • Exploit was induced with rapid read/write operations on a memory row over and over again, ultimately causing the loss of data.
  • Multiple methods have been devised to exploit DRAM integrated circuits. These are ECCploit, Rowhammer.js, Throwhammer, JackHammer, and RAMBleed.
  • In response to the findings, industry-wide countermeasures like Target Row Refresh (TRR) were touted to be the ultimate solution. In March 2020, researchers demonstrated a fuzzing tool called ‘TRRespass’ could be used to make Rowhammer attacks work on DDR4 cards.

From TRRespass to SMASH

  • While TRRespass was achieved by using native code, no methods were available to trigger them in the browser from JavaScript. This led to the discovery of SMASH, granting attackers to read and write in the browser.
  • The exploit chain is initiated when a victim visits a malicious website under the adversary’s control of adversaries or a legitimate website that contains a malicious ad.

Comclusion

  • The revelation of new research confirms that the Rowhammer bug continues to be a threat for web users.
  • However, there’s something good in every bad situation, and in this case, researchers claim that exploiting the Rowhammer bug is not an easy task.
  • Additionally, disabling Transparent Huge Pages (THP) would stop the current instance of SMASH.