Drive-by Rowhammer attack uses GPU to compromise an Android phone

Enlarge (credit: John Karakatsanis / Flickr)

Over the past few years, there has been a steady evolution in Rowhammer, the once largely theoretical attack that exploits physical defects in memory chips to tamper with the security of the devices they run on. On Thursday, researchers are unveiling the most practical demonstration yet of Rowhammer's power and reach: an exploit that remotely executes malicious code on Android phones by harnessing their graphical processors.

Dubbed GLitch, the exploit is the first to show that GPUs can flip individual bits stored in dynamic random-access memory. The advance gives attackers greater flexibility over previous techniques that relied solely on CPUs. It's also the first Rowhammer attack that uses standard JavaScript to compromise a smartphone, meaning it can be executed when users do nothing more than visit a malicious website. Another key innovation: on average, GLitch takes less than two minutes to compromise a device, a significant improvement over previous Rowhammer exploits.

GLitch gets its name and idiosyncratic capitalization because it uses the WebGL programming interface for rendering graphics to trigger a known glitch in DDR3 and DDR4 memory chips. The term Rowhammer was coined because the exploit class accesses-or "hammers"-specific memory blocks known as rows inside a chip thousands of times per second. Attackers use it to alter crucial pieces of data by changing zeros to ones and vice versa. The physical weakness is the result of ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors.

Read 23 remaining paragraphs | Comments