Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows can cause random bit flips in an adjacent row, resulting in the so called Rowhammer bug. This bug has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions to flush data from the cache. In this paper we present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.

Similar Publications

The increasing popular interest in personal telemetry, also called the Quantified Self or "lifelogging", has induced a popularity surge for wearable personal fitness trackers. Fitness trackers automatically collect sensor data about the user throughout the day, and integrate it into social network accounts. Solution providers have to strike a balance between many constraints, leading to a design process that often puts security in the back seat. Read More

A block cipher is a bijective function that transforms a plaintext to a ciphertext. A block cipher is a principle component in a cryptosystem because the security of a cryptosystem depends on the security of a block cipher. A Feistel network is the most widely used method to construct a block cipher. Read More

In this paper we compare the performance of various homomorphic encryption methods on a private search scheme that can achieve $k$-anonymity privacy. To make our benchmarking fair, we use open sourced cryptographic libraries which are written by experts and well scrutinized. We find that Goldwasser-Micali encryption achieves good enough performance for practical use, whereas fully homomorphic encryptions are much slower than partial ones like Goldwasser-Micali and Paillier. Read More

Here, we proposed an improved version of the deterministic random extractors $SEJ$ and $PEJ$ proposed by R. R. Farashahi in \cite{F} in 2009. Read More

In 2003 Dinur and Nissim showed an impossibility result for privacy that if the amount of noise is $o(\sqrt{n})$, then privacy is impossible to achieve (where the output space is binary "Yes" or "No"). $\Omega({\sqrt{n}})$ noise must be added to have at least weak notions of privacy. However, the question has remained open as to whether $O(n)$ noise is able to preserve accuracy in elementary private data operations such as aggregation and averaging in addition to protecting privacy both before and after data aggregation. Read More

While modern day web applications aim to create impact at the civilization level, they have become vulnerable to adversarial activity, where the next cyber-attack can take any shape and can originate from anywhere. The increasing scale and sophistication of attacks, has prompted the need for a data driven solution, with machine learning forming the core of many cybersecurity systems. Machine learning was not designed with security in mind, and the essential assumption of stationarity, requiring that the training and testing data follow similar distributions, is violated in an adversarial domain. Read More

This article presents a proof-of-concept illustrating the feasibility of creating a covert channel between a C\&C server and a malware installed in an organization by exploiting an organization's scanner and using it as a means of interaction. We take advantage of the light sensitivity of a flatbed scanner, using a light source to infiltrate data to an organization. We present an implementation of the method for different purposes (even to trigger a ransomware attack) in various experimental setups using: (1) a laser connected to a stand (2) a laser carried by a drone, and (3) a hijacked smart bulb within the targeted organization from a passing car. Read More

Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that 90% of websites contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. Read More

In this short paper, we develop a probabilistic algorithm for the elliptic curve discrete logarithm problem. This algorithm is not generic in nature, it uses some properties of the elliptic curve. Read More

Outsourcing integrated circuit (IC) manufacturing to offshore foundries has grown exponentially in recent years. Given the critical role of ICs in the control and operation of vehicular systems and other modern engineering designs, such offshore outsourcing has led to serious security threats due to the potential of insertion of hardware trojans - malicious designs that, when activated, can lead to highly detrimental consequences. In this paper, a novel game-theoretic framework is proposed to analyze the interactions between a hardware manufacturer, acting as attacker, and an IC testing facility, acting as defender. Read More