Sign up FAST! Login

Rowhammer security exploit: Why a new security attack is truly terrifying.


Stashed in: JavaScript, Software!, security

To save this post, select a stash from drop-down menu or type in a new one:

Rowhammer.js, a new security attackrevealed in a paper by security researchers Daniel Gruss, Clémentine Maurice, and Stefan Mangard, brings a truly new wrinkle to our understanding of computer vulnerabilities. 

Why is Rowhammer so scary? Because it doesn’t afflict your software but finds a weakness in your hardware, a physical problem with how current memory chips are constructed. So it doesn’t matter whether you’re using Linux, Windows, or iOS: If an Intel chip (or an AMD one, or possibly others) is inside, so is Rowhammer. Incredibly, Gruss, Maurice, and Mangard’s paper reveals how to exploit it from a simple webpage.

As the security researchers explain, it is “the first remote software-induced hardware-fault attack.”

Rowhammer, as the authors write, can cause data to be executed as code: As they put it, “Bit flips caused by row hammering breach the CPU’s memory protection.” What’s new with Rowhammer is how that border is made porous. Rowhammer is not a code bug but a hardware bug, a weakness in a particular set of memory chips. Software, whether it’s Windows or Linux or Firefox or Chrome, can only try to work around the problem to prevent it from being exploited; it can’t fix it. But here, there can’t even be a software hotfix. Which makes Rowhammer an amazing and frightening phenomenon.

Geez, is this for real?! JavaScript attacking hardware??

I thought the Ping o' Death was the first remote software-induced hardware-fault attack?

I think that's right. Was there ever a JavaScript Ping o Death?

You May Also Like: