In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.
The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.
Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.