Video: Turn your Android smartphone into a bunker with 10 simple steps.
The attack lowers the bar to pulling off so-called rowhammer attacks that flip bits in physical memory to ram through in-built security protections.
The researchers note that most defenses against rowhammer attacks have focused on protecting CPU cores, and show that GPUs that are integrated with CPUs — common on mobile system on chips — are another attack avenue.
“We demonstrate the potential of such attacks by bypassing state-of-the-art browser defenses and presenting the first reliable GPU-based rowhammer attack that compromises a browser on a phone in under two minutes,” the researchers from Vrije Universiteit in Amsterdam write in a new paper.
A year after rowhammer attacks were first reported in 2014, researchers at Google Project Zero drew attention vulnerabilities affecting dozens of x86 laptops using bit flips in DRAM to escalate privileges.
The rowhammer problem is the result of shrinking DRAM cells, which has made it harder to isolate memory in one address from corrupting data stored in another.
The work demonstrated that repeated toggling of a DRAM row’s wordline — rowhammering — “stresses inter-cell coupling effects that accelerate charge leakage from nearby rows”, resulting in ‘bit flips’ where a cell’s value changes from 1 to 0 or vice versa.
As noted by Carnegie Mellon University’s CERT, the GLitch attack is comprised of two parts: a side-channel to determine the layout of physical memory address space; and a rowhammer attack that targets the design of DRAM memory.
The two attacks are then combined with the WebGL application programming interface (API), which is used for rendering web graphics in browsers. It also relies on browser support for precision WebGL timers, which allow the side-channel to leak memory addresses.
Meanwhile, the GPU allows for “fast double-sided DRAM access, enabling the rowhammer attack”.
The researchers showed that it was possible to use the technique to bypass the Firefox sandbox on Android.
“The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses,” explained CERT researchers Will Dormann and Trent Novelly.
“This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions is used in a number of microarchitectural attacks, such as rowhammer.”
Precision timers have been disabled in Chrome and Firefox on Android to mitigate the attacks.
Previous and related coverage
Google denies multiple requests by Microsoft for an extension to Project Zero’s 90-day disclose-or-fix deadline.
Google’s Project Zero releases exploit that offers hope for an iOS 11 jailbreak.
Microsoft is being urged to rush out a patch for a bug in Internet Explorer that’s being used in attacks.
Google’s Project Zero releases the open-source tool it used to find new bugs in major browsers.