Researchers exploit ddr3 leak from web page
Researchers have managed to exploit a bug in ddr3 memory with javascript. As a result, any web page can flip bits in memory, even if the browser is running in a sandbox and shouldn’t be able to.
The bug, previously dubbed Rowhammer by Google researchers, isn’t new, but Austrian and French researchers have now found a way to exploit the bug from within a website. This is done by exploiting physical vulnerabilities in DDR3 memory.
The researchers made an attack that worked on a system with an Intel Haswell processor, in a browser that runs javascript within a sandbox. In doing so, an attacker could gain root access to a system, the researchers suspect. The attackers managed to exploit the bug in at least Firefox and Chrome.
The problem that the researchers are exposing is in the physical DDR3 memory. Because memory is made on a smaller scale and memory cells are closer together, the electrical charge of bits in the memory can ‘leak’ to adjacent bits.
It had been known for some time that this was possible, but that this could also be done from a web page had not been demonstrated before. The vulnerability is present in various models of DDR3 memory, but not in all memory: memory with error correcting code is not affected by it. Also ddr4 memory is not vulnerable. For the time being, this only concerns PCs, but the researchers think that research into telephones is necessary, because they contain a variant of DDR3 memory.
Because it is a physical vulnerability, software protection against attacks – such as sandboxing and data execution prevention – no longer works. This allows a web page to inject its own code into memory and then execute it. That is a very serious vulnerability, especially because it cannot be solved with software. Only a bios update could offer some solace. It is, however, difficult to make a concrete attack; although bit flipping is possible, it also has to be done in the right order.
In this specific case, there is a work-around that could limit the impact. Javascript could run slower to make it more difficult to exploit the bug. In addition, the researchers recommend that users disable javascript. This can be done, for example, via an extension such as NoScript.