Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43445
  • Total Topics: 16537
  • Online today: 3188
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 0
Guests: 3110
Total: 3110









Author Topic: DDR3 security breach: even with sandboxed browser, RAM can be manipulated!!!!  (Read 4054 times)

0 Members and 1 Guest are viewing this topic.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Wauw...

DDR3 has a bit-leaking bug... Which can be exploited even from within a sandbox!!! :-(

Source: Dutch: http://tweakers.net/nieuws/104476/onderzoekers-misbruiken-ddr3-lek-vanuit-webpagina.html?nb=2015-07-30&u=0900

Found also: http://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-attacking-pcs-just-add-javascript/

Link to document: http://arxiv.org/pdf/1507.06955v1.pdf

Quote
In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.

FURTHER READING


CUTTING-EDGE HACK GIVES SUPER USER STATUS BY EXPLOITING DRAM WEAKNESS

"Rowhammer" attack goes where few exploits have gone before, into silicon itself.

The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.

Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.

"A remote attacker can hide the attack script in a website and attack any visitor," Daniel Gruss, one of the authors of last week's research paper, wrote in an e-mail. "Thus, it is not a targeted attack on a single machine anymore but an attack on millions of systems simultaneously."

The attack works by rapidly and simultaneously accessing—or "hammering"—two rows of "aggressor" memory cells of vulnerable DRAM DIMMs. When performed correctly, the Rowhammer technique will cause a "victim" region in between the two aggressor locations to flip its bits. A key challenge in getting JavaScript to flip bits was finding a suitable replacement for the clflush instruction, which Google developers recently disabled in the company's Chrome browser. Clflush proved instrumental in rapidly accessing the memory cells of DDR3 DIMMs. In its absence, the latest team of researchers devised an eviction strategy that triggers bitflips on the Lenovo x230 laptop using the Ivy Bridge or modified Haswell CPUs.

Although the researchers still haven't achieved a root exploit, their JavaScript-based bitflipping generally performs on par with the bitflipping from native code. Gruss wrote:

We found that JavaScript performance for our test program is close to our native g++ -O3 compiled code. Thus we were able to perform the same bitflips as in native code in JavaScript, again using our eviction algorithm. Finally, we exploited the fact that on our Linux systems Firefox allocates 2MB pages for large typed JavaScript arrays and generates the eviction set through a timing attack. This allows us to perform the attack completely in the Browser without any external help. What's missing: Currently we are performing the fault attack and cause bitflips—we have not yet implemented a root exploit based on this.
David Kanter, senior editor of the Microprocessor Report, told Ars that some DRAM makers responded to the original Rowhammer research by doubling the refresh rate of vulnerable memory chips. The new research suggests that to truly fix vulnerable memory DIMMs, the rate may have to be increased eight fold. A change of that magnitude probably isn't practical, Kanter said, and besides, most end users avoid hardware updates.

The takeaway is that browser-enabled bitflipping attacks aren't yet practical, but they may become a viable threat to some percentage of users in the coming years, at least under certain circumstances.

Old news I see now, but still... I'm shocked! Real NSA sheit this!
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info


Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Thanks for The Warning... by the way, do you really believe that this "bug" is somehow related or exploited by the NSA ?? ???

P.S.

I'll reply on your PMs in the next few days... right now, I hurry on The New Year's party! ;)

***Happy New Year and All The Best in 2016. ***


 :bih:

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
It would be strange if NSA hasn't (tried to) use this... This is Hollywood stuff in my eyes. And I'm pretty certain at least the CIA tried this. Those guys are ADVANCED when it comes to spying :)

And circumventing sandboxes and OS architectures by shifting electrons in RAM... Yeah... That fits in, I feel :)

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

jheysen

  • SCF Global Moderator
  • *****
  • Posts: 879
  • KARMA: 121
  • Gender: Male
It doesn't seem much deterministic to be usable anyway :p

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023