back to article Is it still possible to run malware in a browser using JavaScript and Rowhammer? Yes, yes it is (slowly)

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH. Rowhammer refers to a technique that computer security researchers began to explore around 2014: "hammering" RAM chips with a series of rapid write …

  1. mihares
    Linux

    Well, another problem that could get fixed is the propensity of using browsers as interpreters (oh sorry, JIT compilers) for bad code written by strangers on the internet...

    I know it’s unlikely, but I’ll still be hoping.

    Or just use Lynx: you can still read and comment on El Reg with it, so it means that you don’t need more —if you really want pictures, curl them.

  2. Mike 137 Silver badge

    There are easier ways

    Fifteen minutes using rowhammer. Almost instantaneous using the classic (and obvious) js triggered download of a compromised document that opens in the browser automatically, exploiting a takeover vulnerability.

    This is of course interesting as research, but it's not a very likely attack vector in the real world. Simply because an intelligent attacker uses the simplest method that gets them what they want and there are masses of adequate tools out there to choose from.

    Javascript itself remains a nightmare though. The whole concept of running unverified code from untrusted sources on your systems makes very little sense, and the lack of any security model worth the name in js makes it even more nonsensical.

  3. marcellothearcane

    Intel?

    Didn't Linus Torvalds say that rowhammer is a result of not having consumer-level error-correcting RAM, because Intel liked charging its business customers a premium?

    You can pin the blame on JS for existing, but this attack is viable on pretty much all languages I think, as it's a hardware problem.

    1. mihares

      Re: Intel?

      Seems that ECC doesn’t completely defeat rowhammer attacks, if that’s what you mean.

      https://www.vusec.net/projects/eccploit/

      Although yes, it is annoying that ECC memory is quite expensive. After Xeon processors’ prices started being quoted in kidneys and liver lobes instead of currency, I moved to AMD for my own machine: I should be able to run ECC memory, but I must admit I was not willing to make the investment.

      Anyhow, it’s still possible to run ECC modules without spending tens of thousands on a computer. But it’s difficult for under 3-4k, yes.

  4. LDS Silver badge

    I wonder why they decided to break Firefox and not Chrome....

    Fear of enraging the Chocolate Factory? Being Swiss, they know chocolate (and money) very well....

    1. ThatOne Silver badge
      Devil

      Re: I wonder why they decided to break Firefox and not Chrome....

      Because their research was funded by The Chocolate Factory?

      1. Jad

        Re: I wonder why they decided to break Firefox and not Chrome....

        I'm guessing it's because Firefox is open source and, although Chromium is open-source, the javascript implementation will be "tweaked" in Chrome to not be identical.

        I doubt it's impossible for this to happen in Chrome, I'm guessing that it was just a few steps easier when you can see inside the black box.

        1. chasil

          Ubuntu Chromium snap

          In my last Ubuntu upgrade, my native Chromium install was converted to a snap package, both of which I assume were completely open-source.

          Perhaps Windows users might be confused by a Chromium vulnerability which is likely exploitable in close-source Chome; Firefox production/esr releases are perhaps slightly more straightforward.

          Does anyone even package Chromium for Windows?

  5. PhoenixKebab
    Meh

    Maybe the situation is now better/worse than when they started writing the paper?

    "For our proof of-concept exploit, we target the latest version of the Firefox browser at time of writing (v. 81.0.1) running on Ubuntu 18.04 with the latest updates and Linux kernel 4.15.0-111-generic installed."

    So, early October 2020?

    But some of the bits of Appendix C indicate that the paper was still being worked on in 2021. e.g. "Kali Linux 2021 W02" gets a mention. The references were updated February 2021.

    Wouldn't it be a scientifically sound idea to retest with the latest Firefox, Ubuntu and Linux kernel just before publication and not rely on 4 month old test results.

    1. Michael Wojcik Silver badge

      Re: Maybe the situation is now better/worse than when they started writing the paper?

      Because everyone always runs the latest software, of course.

      And, no, it wouldn't be a sound idea, because there's an excellent chance that you'll continually be playing catch-up as you tweak your exploit for new releases, which come out frequently. Get the research done and get it out so people can build on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021